The Obama administration is considering issuing an executive order that would require the Department of Homeland Security to devise a set of cybersecurity guidelines, according to internal administration documents obtained by U.S. News.
The order would do much of what the Cyber Intelligence Sharing and Protection Act (CISPA)—which the House of Representatives passed in April but failed to pass the Senate—would have done, but with a few key differences.
Various privacy advocacy groups strongly opposed CISPA because it would have allowed private companies to exchange user data with the federal government, most likely the National Security Administration, in exchange for critical cybersecurity information, a provision that the Center for Democracy and Technology's Greg Nojeim said would have "pre-empted privacy laws" and would have "permitted communication info to flow directly to the NSA."
"An executive order can't do the damage that CISPA could have done to privacy because an executive order can't trump privacy laws," he says. In April, Obama threatened to veto CISPA, citing privacy concerns, leading Nojeim to suggest that a final executive order would stay away from invading personal privacy issues.
According to White House spokesperson Caitlin Hayden, an executive order "is not close to being done."
"An Executive Order is one of a number of measures we're considering as we look to implement the President's direction to do absolutely everything we can to better protect our nation against today's cyberthreats," she wrote in an E-mail.
Lawmakers who supported CISPA and the accompanying Senate bill, the Cybersecurity Act of 2012, say the federal government needs to help private companies who are increasingly dealing with cyber attacks that compromise private data or shut down networks.
"In the last year, China has stolen so much intellectual property that it would be considered 50 times the print collection of the United States Library of Congress," Congressman Mike Rogers said in April.
Hayden says the document obtained by U.S. News is an "early, internal deliberative draft of a critical infrastructure policy to replace Homeland Security Presidential Directive 7," the 2003 document that allows the agency to develop policies to protect things such as power grids, telecommunications lines, and the nation's water supply.
According to the draft, the policy would require DHS to protect systems "in both the physical and cyber space."
Like CISPA, the document calls for public-private collaboration and data sharing, "including collective efforts to address threats and known and emerging vulnerabilities" against critical cyber infrastructure.
The document calls for creating an "information exchange framework to enable effective collaboration" and for the creation of two "coordination centers" run by the Department of Homeland Security—one for physical infrastructure and one for cyber infrastructure. It also calls for "routine collaboration and information exchange between all levels of government and [private industry]."
However, the order does not grant companies legal immunity if they violate privacy laws while sharing information.
Faced with a Congress that is increasingly obstructionist, Obama has come to rely on executive orders to accomplish his agenda—most notably deciding to allow children born to illegal immigrants to avoid prosecution earlier this year.
Last month, Democratic California Sen. Dianne Feinstein, who cosponsored the Cybersecurity Act of 2012, called on Obama to take "urgent action" to protect America's cyber infrastructure. In a letter to Obama, she urged him to issue an executive order to advance a cybersecurity agenda.
"Despite good faith efforts to reach a compromise and major concessions on our part, those opposed to the legislation were able to defeat progress on the bill. While efforts to reach consensus continue, I fear that the Congress will be unable to pass meaningful cybersecurity legislation this year," she wrote. "I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack."