With Congress focusing much of their time on the fiscal cliff, following another failed attempt to pass cybersecurity legislation, the White House may be a step closer to releasing its anticipated cyber executive order.
"The National Security Staff has held over 30 meetings with industry, think tanks and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people," Caitlin Hayden, a spokeswoman for the White House told Politico.
Intending to protect the nation’s critical infrastructure from cyber attacks, the new draft E.O., like the last, calls for the private sector to work with the government, sharing security-related information on a voluntary basis.
But the draft order is already catching criticism for a provision on incentives, which some say could make companies feel obligated to participate in the program.
“The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program,” states the draft. “Within 90 days of the date of this order, the Secretary and the Secretaries of Treasury and Commerce each shall make recommendations separately to the President… on what incentives can be provided to owners and operators of critical infrastructure that participate in the Program, under existing law and authorities, and what incentives would require legislation, including analysis of the benefits and relative effectiveness of such incentives.”
One incentive the E.O. mentions is the possibility of “changing the federal procurement process to create preferences for vendors who meet cybersecurity standards.” Though the order notes that creating such an incentive would have to come at the approval of the Secretary of Defense and the Administrator of General Services.
In working to gain other approval, particularly from privacy hawks who claim cybersecurity laws could crack down on civil liberties, the new draft of the E.O. includes a clause to “ensure that privacy and civil liberties protections are incorporated into such activities based upon the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles and frameworks.”
But until the executive order is issued – which could be days, weeks or months away – stay tuned, as more criticism is sure to come.