Controversial critical infrastructure cybersecurity legislation failed to overcome a Senate filibuster before Congress adjourned for its August recess, following a week of debate and a failed effort by lawmakers to agree on which of more than 100 proposed amendments should receive individual floor votes. But while the August deadlock probably marked the last opportunity for Congress to consider a comprehensive cybersecurity bill this year, some of the bill’s supporters are now calling on President Obama to circumvent Congress by taking action through an executive order.
The “Cybersecurity Act” (S. 3414) introduced by Senator Joe Lieberman (I-Conn.) had won the support of most Senate Democrats and the Obama Administration, but ran into strong opposition from Republicans who questioned provisions that would have allowed federal agencies to impose government-crafted “voluntary” cybersecurity standards on drinking water facilities and other critical infrastructure assets in the form of binding, mandatory regulations. The bill, which also would have increased cyber threat information sharing between the federal government and the private sector, ultimately died on a procedural vote after attracting only 52 of the necessary 60 votes to advance.
But in the weeks following the vote a number of Democratic members of Congress have publicly called on President Obama to enact similar cybersecurity proposals through an executive order, which would not require congressional approval. Among others, Sens. Lieberman, Jay Rockefeller (D-W.Va.), Dianne Feinstein (D-Calif.), and Rep. Ed Markey (D-Mass.) have expressed support for an executive order, saying that cybersecurity is too urgent an issue to wait for congressional agreement.
Despite some early signals from the White House that it may be open to this approach, August ended with no further action on the topic. From the Administration’s perspective, because an executive order would not be enforceable like legislation passed by Congress, its impact would be limited. Most likely, an executive order could probably only direct the federal government to increase intergovernmental information sharing, identify existing cybersecurity vulnerabilities, and craft a set of purely voluntary critical infrastructure standards in response. Additionally, enacting such an executive order could reduce the pressure on Congress to act on a more comprehensive cyber bill.
For their part, Republican opponents of S. 3414 have warned the White House against taking any steps that could be perceived as circumventing congressional authority over the issue. Even Sen. Susan Collins (R-Maine), the only GOP sponsor of S. 3414, expressed discomfort with the idea of an executive order on the subject, saying that an executive order “could send the unintended signal that congressional action is not urgently needed.”