Skip to Content

Cybersecurity & Standards, Government Surveillance

Will the White House Executive Order on Cybersecurity Look Like CISPA?

White House officials have signaled recently that the President may issue an executive order on cybersecurity to do by administrative fiat some of what Congress has not (yet?) done through legislation. Key Senators have called for the White House to act.

I haven’t seen the draft executive order described in this Open Congress blog post or in this Washington Post story.

But, it’s important to keep in mind that the three worst parts of CISPA from a privacy perspective were that (i) it drove a bulldozer through all of the privacy statutes by authorizing ISPs to share customer communications information “notwithstanding any law,” (ii) empowered companies to share those communications directly with the super secret military-intelligence agency, the NSA, and (iii) allowed the NSA to use the info it received for any national security purpose.

An executive order from the White House couldn’t do the first of these, and given the Administration’s position on cybersecurity, would probably not do the other two.  It can’t drive a bulldozer through the privacy laws because it would need a statutory exception to those laws in order to start the bulldozer. It probably won’t do the latter two because it both proposed it’s own contrary legislation in May 2011 and endorsed the contrary position in the Lieberman-Collins bill.

An executive order on cybersecurity could make some needed changes that are entirely within the control of government. It could, for example, encourage intelligence agencies to declassify more cyber threat signatures and share them with the private sector, and share more classified threat signatures with cleared network operators. It could require agencies to report when they receive cybersecurity disclosures under existing law from companies in the private sector, and make public the extent of such disclosures.

I don’t know what to expect in an Executive Order on cybersecurity, and I don’t know whether it will be good or bad for privacy and innovation, but don’t expect the White House to attempt to enact a CISPA-like, privacy-invading cybersecurity program through executive order. After all, the White House threatened to veto CISPA, in very strong language, in large part on privacy grounds.