Since Congress has not been able to find common ground on cybersecurity legislation, I appreciate the president’s stated intention to fortify the security of critical cybersystems through his executive powers. We know our adversaries are already stealing valuable intellectual property and exploiting our critical infrastructure to prepare for attack. Under the Homeland Security Act of 2002, the Department of Homeland Security has clear authority to conduct risk assessments of critical infrastructure, identify the systems or assets that are most vulnerable to cyberattack, and issue voluntary standards for them to maintain adequate cybersecurity.
Executive action is not the best way to protect the United States from cyberattacks. Without congressional action, the president cannot offer liability protections to industry to reward compliance with voluntary security guidelines. Nor can he require industry to report major cyber-intrusions. But the president can encourage owners of critical infrastructure to improve their cybersecurity by identifying systems and assets that pose the greatest risk and recommending measures necessary to protect them.