Part of that shift is because of the congressional impasse surrounding comprehensive cyber legislation, said Sen. Brian Schatz (D-Hawaii), a member of the Commerce, Science and Transportation Committee.
“We tried to legislate but we couldn’t come to consensus,” Schatz said Wednesday in an interview. “So this is the next best thing.”
Recently, Senate Democrats such as Richard Blumenthal of Connecticut have expressed reservations about relying on the private firms, such as financial services companies, to voluntarily communicate insights about cyber intrusions. Blumenthal is the ranking member on the Commerce Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security.
“Voluntary standards are helpful, and even necessary in some cases, but not sufficient,” Blumenthal said in an email statement on Feb. 17, four days after Obama signed the executive order. “Voluntary standards only work if everyone is volunteering. Given the cascading nature of cyber-attacks, our country’s critical infrastructure is only as strong as its weakest link.”
Still, he said, “the executive order is a good first step, made necessary because Congress can’t pass comprehensive cyber-security legislation.”
Privacy concerns have been one of the main obstacles surrounding previous attempts to pass broader cyber legislation.
Sen. Claire McCaskill (D-Mo.), who also sits on the data security panel, said the voluntary framework is good, but not an ideal solution. “The best thing to do would be for Congress to take up” cyber legislation “and pass it,” she said Wednesday in an interview.
Earlier this month, Anthem Inc. suffered the largest disclosed data breach of a healthcare company in history, compromising the personal information of more than 80 million customers and employees. The hack was the latest in a series of cyber attacks on a range of U.S. companies, including Sony Pictures Entertainment Inc., Target Corp. and JPMorgan Chase & Co.
A recent report by the digital security company Gemalto said the U.S. accounted for 72 percent of all data breaches worldwide in 2014.
The executive order aims to facilitate greater communication on cyber threat issues by creating “information sharing and analysis organizations,” or ISAOs, which would ease the information sharing process between government and the private sector. The White House said an ISAO could take a number of forms such as a “membership organization” or a single company sharing information with its partners.
The White House said it hopes to overcome a major obstacle to combating cyber attacks: the failure in the private and public sector to effectively communicate about cyber breaches.
Representatives from financial trade organizations such as the American Bankers Association and the Financial Services Roundtable, which represents firms like Citigroup Inc. and Wells Fargo & Company, described the order as a positive step forward but noted that further congressional action would be needed to adequately ensure corporations would not face lawsuits over sharing personal data.
Sen. Tom Carper (D-Del.), the ranking Democrat on the Senate Homeland Security Committee, introduced legislation, S.456, on Feb. 11 that includes provisions similar to the president’s executive order. The bill has no cosponsors and no committee has taken action on the measure.
In the House, Republicans who might otherwise be critical of the White House signaled support for Obama’s executive order.
“It’s important to note this is not a mandatory sharing system, it’s voluntary,” Rep. Michael McCaul (R-Texas) in response to privacy concerns raised by Rep. Curt Clawson (R-Fla.) in a House Homeland Security Committee hearing Wednesday. McCaul, who chairs the committee, said he is “pleased the president has come forward with a proposal on this important issue,” while adding that he plans on introducing cybersecurity legislation later this year.
On the other side of the aisle, some House Democrats said Obama’s proposal is the only way to get the private sector to join information-sharing efforts.
“We can try to force people into providing or sharing information,” said Rep. Norma J. Torres of California after the hearing Wednesday, “but I think a voluntary way is more appropriate to getting the stakeholders to work with us.”