No Cybersecurity Executive Order, Please

Private firms should not have to choose between sharing cyber-threat information and facing a regulatory backlash.

Wall Street Journal

By JOHN MCCAIN, KAY BAILEY HUTCHISON AND SAXBY CHAMBLISS

Published September 14, 2012

One week after Democrats at their convention in Charlotte, N.C., called for an open Internet that fosters "innovation" and "investment," the Obama administration is readying plans to tighten the government's grip. The White House is preparing an executive order on cybersecurity that unilaterally imposes more mandates and regulations on the private economy.

Cybersecurity is a priority, but anything less than a strong information-sharing bill, based on policies that enhance national security and the economy, will fall short. The Senate needs to follow the lead of the House and pass a bipartisan bill that includes clear authority to do so, and provides liability protections to allow the private sector and government to better share cyber-threat information.

American industry faces a growing cyber threat from domestic and, more frequently, global actors. Vital industries such as communications, energy and transportation confront these threats in a number of ways, including by working with the government and its federal network of cybersecurity centers. While these efforts are invaluable, more can be done.

Over the last nine months, Congress has devoted considerable attention to crafting strong cybersecurity legislation. Recognizing the need for consensus, we've been working through the summer to resolve fundamental differences between the two primary Senate bills: the SECURE IT Act-which we co-sponsored-and the Cybersecurity Act of 2012. Yet now it appears the administration is set to act on its own.

That's the wrong solution because it cannot fully address the one area most critical to improving cybersecurity-enhancing the sharing of cyber-threat information among private firms and with the government. This type of information sharing, such as a company informing the government of malicious network activity, provides the government with a clearer view of the threat picture and allows network operators to identify and take steps to prevent attacks.

Today, sharing is significantly constrained because of legal hurdles. These include antitrust laws that preclude companies from working together to prevent cyber threats, and statutory limitations on when and what kind of information can be shared with government.

Companies must first check with their lawyers before sharing information for fear of litigation, not just from customers or shareholders but from federal and state governments as well. The net impact is that critical cyber-threat information is not shared in a timely manner or worse, not shared at all.

Responsibly removing these legal hurdles is at the core of the SECURE IT Act, which provides essential liability protections for companies that share cyber-threat information. These new statutory protections would drive information sharing and significantly improve our nation's cybersecurity. Because these protections require changes to existing law, the most basic cybersecurity needs cannot be accomplished by executive order alone.

There's another downside to an executive order. Unilateral action in the form of government mandates on the private sector creates an adversarial relationship instead of a cooperative one.

For years, the federal government has invested heavily in six cybersecurity centers that operate within various agencies across the federal government. They offer unique capabilities and benefits. Over time, different companies and industry sectors have developed mutually beneficial relationships with these centers. This cooperation and flexibility is critical and should be encouraged, not disrupted by adding new layers of bureaucracy at the Department of Homeland Security, as will likely occur with an executive order.

If we are serious about improving information sharing, we must encourage candid dialogue between the government and business. This will not occur unless we also ensure that the information the federal government receives isn't then used to impose new and extraneous regulations. Businesses should not have to choose between sharing cyber-threat information and facing a regulatory backlash.

Finally, once the government receives cyber-threat information, it must be allowed to use it. This can be done while ensuring strong privacy protections are in place. Cybersecurity and privacy protections can and should coexist. Privacy protections are best achieved by clearly defining what the private sector may share with the government and by requiring strong oversight.

What the country cannot afford is to build bureaucratic walls around information once it is shared with the federal government. The 9/11 Commission was clear about providing government agencies with the ability to speak to each other about the threats facing all aspects of our security.

Yet the Cybersecurity Act of 2012 would in effect re-erect these walls by prohibiting cyber-threat information shared with the federal government from being used for non-cyber related national-security purposes, such as information that could provide an early warning of a terrorist attack long before it becomes imminent. This limitation could mean that our law enforcement and intelligence agencies may not have access to all the information needed to keep this country safe.

Any government measures on cybersecurity will have a significant impact on the country's security and economic welfare. Skirting congressional action by issuing an executive order is neither appropriate nor effective. The democratic process ensures that Congress and the president work together, while listening to all those affected by their actions, to find the solution that's in the best interests of the American people. We call on the president to follow this process and work with Congress to pass sound cybersecurity legislation.

Sens. McCain, Hutchison and Chambliss are, respectively, the ranking Republicans on the Armed Services Committee, Commerce Committee and Intelligence Committee.