Cybersecurity Moving Forward at the Pace of Politics

As everyone in the cybersecurity industry surely knows, the Senate last week failed to limit debate on S 3414, the Cybersecurity Act of 2012. While most pundits have commented that this kills the bill for this year (and this Congress), that is not technically correct. Sen. Reid (D,NV), after having voted against cloture was able to offer a motion to reconsider the cloture vote. That means that after the Senate reconvenes on September 10^th, the cloture vote could be called again.

Consideration of the Bill Still Possible

There are numerous reports that negotiation are still underway on which amendments would be considered on the bill if a subsequent cloture vote were to succeed. There is a remote possibility that some sort of agreement could be reached that would allow for consideration of the bill either before the election or in the lame duck session after the election.

The compromise version of the bill would have to severely reduce the already limited regulatory provisions of the bill before it could stand any chance of coming to the floor of the House for subsequent approval. It would seem that there are little prospects of the bill passing.

The Possibility of an Executive Order

An interesting development occurred over the weekend with the suggestion that President Obama might issue, before the election, an executive order on cybersecurity. Such an order could put into place many of the provisions of S 3414 without Congressional action. One of the more interesting pieces on this possibility can be found over on the Volokh Conspiracy blog. Stewart Baker does a good job at looking at what could be done in cybersecurity with such an executive order.

More importantly he makes an interesting political point:

“An executive order would also advance a story line that has the President robustly protecting national security while a do-nothing Congress dithers.”

If an executive order were broadly and non-specifically crafted it might sway some of the non-committed, moderate voters who are fed up with the grid lock in Congress. In some swing states this could be enough to change the outcome of the election. It would still be a fine balancing act, however, as any information sharing provisions of such an order would be seen by many members of the President’s base as an attack on civil liberties. While this wouldn’t convince any of them to vote for Romney, it could cause a significant number to sit out the election; potentially throwing swing states into the Romney column.

I would suspect that there are White House staffers hard at work on carefully crafting an executive order directing DHS to take some cybersecurity actions. At the same time the Obama campaign would be hard at work trying to figure out the political consequences of such an order. If one were to be published I would expect it to be done in early October. In the meantime political surrogates on both sides will be discussing the issue; prepping the ground for an October surprise and its response.

Implementing an Executive Order

An executive order takes time to craft; it is after all is said and done a political document as much as it is a legal document. In this case, not only would it have to withstand the scrutiny of a political campaign, but President Obama would be writing it with a President Romney in mind. An executive order can be vacated as easily as it is written, so it would be written to withstand the review of the next administration.

More importantly, the regulations that would implement that executive order would have to go through the standard publish, public-comment, and revise processes that regulations based upon legislation would have to go through. Given the time that it takes to write and internally review regulations, there is no way that the first NPRM based upon an executive order published next month would be ready for OMB review before January 1^st. Given the slow pace that we have seen over the last decade in crafting controversial regulations it would be likely sometime in 2016 before we saw any effective regulations coming out of a cybersecurity executive order.