EO 13694 Published

Today the Office of the President published EO 13694 in the Federal Register (80 FR 18077-18079). This is the Executive Order on cyber-attack response that I described yesterday. This was published a little faster than normal, but I am not sure that that is really indicative of anything.

There are no regulatory actions required under this EO though the Secretary of the Treasury is authorized to issue regulations. I suspect that there will be some sort of regulations promulgated at some point in time.

In the past 24 hours there has been some serious internet discussion about the implications of this EO on the international cybersecurity research community. While this may be just a bit of normal paranoia there is some legitimate concern that the broadly defined scope of action that justifies retaliation could be used to stifle publication of cybersecurity research. While I don’t think that that concern is immediately justified, in the long term there is always the possibility that the provisions of this EO could be used in that manner.

That is one of the problems with executive orders. There is none of the public political give and take, discussion and reworking of the specifics of the requirements that serves as a limitation on the scope of retaliatory actions. This is especially true when there is no specific requirement to keep Congress, the Courts or the public informed about actions taken under this authority.

The other side of that coin is that there is no legal requirement to implement the policies outlined in the EO. This could just as easily sit unused as anything more than a feel-good statement of intent to do something about an apparently intractable problem. I don’t think that it will be, but it is always possible.