Independent agencies, which are not subject to an executive order, may still adopt the voluntary standards and apply them to sectors they regulate, officials said. In some sectors, the administration may already have the authority to impose mandatory cybersecurity standards. One issue being debated as part of the executive order is whether the administration should use that authority.
Some national security experts said the voluntary approach misses an opportunity. If the administration does not mandate standards in some areas, “they’re timid,” said Richard A. Clarke, a White House counterterrorism and cybersecurity adviser under the Bill Clinton and George W. Bush administrations.
He said the president can require standards in sectors where executive branch agencies have authority to enforce them. The Transportation Security Administration, for instance, has authority to regulate pipeline security, he said. The Coast Guard can regulate the security of communications systems at ports. The Federal Railway Administration, he said, can regulate the security of freight and passenger railroad operations.
“If the president has authority to create mandatory standards in some industries and he doesn’t use those,” Clarke said, “then the administration is not serious.”
Clarke also questioned why any company would comply with voluntary standards.
Indeed, some business advocates said even the establishment of voluntary standards is problematic. “Any voluntary approach by this administration is intended to be mandatory,” said Jody Westby, a cybersecurity consultant, noting that officials have stated that that is their goal. “It’s the camel’s nose under the tent. The next thing we know, it’s regulation. This has the potential to be incredibly costly to implement.”
Real changes will not be driven by government, said Jacob Olcott, a cyber expert with Good Harbor Consulting. “They’re going to come from lawsuits, from investors and shareholders asking specific and pointed questions.”
Nonetheless, “a cyber executive order is the best possible option left on the table,” even if just for voluntary standards, said Eric Chapman, associate director of the University of Maryland Cybersecurity Center. “Obstruction is high in Congress, and it’s not realistic that a bill will be acted upon by both bodies before February.”