President Obama’s recent Executive Order contains several limitations that will hinder American efforts to bolster cybersecurity.
In 2001, Congress passed the Critical Infrastructure Protection Act (CIPA), which contends that “the information revolution has transformed the conduct of business and the operations of government as well as the infrastructure relied upon for the defense and national security of the United States.” Twelve years later, President Obama issued an Executive Order (EO) on February 12 that outlined his Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21), beginning the process of fashioning a response to this transformation.
The EO, which occurred after Congress failed to pass the Cyber Intelligence and Sharing Act (CISPA) and followed the recent cyber-attacks on The New York Times, Washington Post, Twitter, and Facebook, aims to build an agreed-upon framework for businesses and critical infrastructure providers that will increase their capacity to respond to and protect themselves against cyber threats. In light of these developments, the U.S. should question where it stands with regard to the provision of cybersecurity and consider the effect that the willingness to legislate against these threats will have.
The EO itself has severe limitations, not least of which is that it limits itself in application to ‘critical infrastructure,’ rather than focusing upon the gamut of threats stemming from within U.S. borders and beyond. Moreover, the Order fails to define what “critical infrastructure” entails beyond vital “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
This working definition faces the obvious problem of being potentially wide in scope and providing no limits to its application. This vague language and concerns about its application vis à vis civil liberties are reminiscent of the wide-reaching Stop Online Piracy Act (SOPA) that so concerned the Twitterati, blogosphere, and Redditors that they successfully mobilized against it.
Ironically, these vague definitions also hamper the Order’s effectiveness. Major players are not identified and it would appear that any party with an interest in cybersecurity (there are many of them) is invited to the table hosted by the Department of Homeland Security and the National Institute of Standards and Technology. Adding stakeholders increases the likelihood of divergence, rather than convergence, in any framework that is created. Such a divergence might even be natural given the wide variety of actors from telecommunications companies to energy providers that provide “critical infrastructure,” but it remains to be seen who will be involved in the process.
Further, these definition issues are not the only problems associated with the President’s EO. The overriding critique is that it is toothless and only offers a method for dialogue and negotiation seeking “consensual decision-making” rather than concrete regulations that would better mitigate the risks associated with cyber threats. Consequently the Order cannot be expected to provide anything more than targets. Meanwhile, the organizations that present a danger to critical infrastructure are unlikely to be resting on their laurels as this initiative takes shape. Additionally, the EO’s focus on “cost effectiveness” suggests that it is unlikely to produce new statutes and industry standards beyond what already exists. As written and after a year of back and forth, the Order provides unenforceable mandatory minimums for hitherto undefined critical infrastructure providers. While recognizing the problems faced by legislators attempting to deal with cybersecurity, the EO needs to do more if it hopes to deal with the fairly significant dangers to the critical infrastructure of the United States.
There is also the fairly obvious question regarding whether it should do more. Beyond the EO on cybersecurity referring to critical infrastructure, it has long been apparent that there remains a perpetual debate concerning whether the Internet is a privileged space separate from the normal rules and process of securitization. While the Internet is often referred to as a bastion of civil liberty where users can create, innovate, and share ideas, it is, perhaps increasingly, a dangerous space that provides all businesses and companies with a catch-22. They cannot afford to stay off of the web, but must also bear the burden of risk and protection when they are on it. Reconciling this danger with the potential of this relatively new global commons is a battle that will likely rage for the foreseeable future and, in reality, there are no compelling right answers.
To this end, the President’s EO offers a peculiarly tentative first step toward securing Internet-based technology in an area that most find impossible to oppose. An Order that will protect the dams, power lines, generators, cell phone towers, and other infrastructure that individuals use everyday is unlikely to garner dissent. What many fear, however, is how the eventual protections might spill over into banking, social networking, political activism, and investigative journalism, preceding future legislation related to the Internet that is already incongruous with the existing justice system.
The eventual and perhaps inevitable securitization of cyberspace is likely to entrench established players in the market and have significant implications for the process of future innovation and economic growth. Therefore, none of us can afford to miss this opportunity to debate, argue, and engage with this issue. For the past fifteen years, the Internet has felt like the frontier. It increasingly feels as if we have reached the Pacific.
Andrew Reddie is an associate at the Council on Foreign Relations. He can be followed on Twitter under the handle @areddie89.
This image is being used under Creative Commons licensing. The original source can be found here.