Header graphic for print
Federal Regulations Advisor Insight and Commentary on U.S. Government Regulatory Affairs

The Need to Know About Executive Orders: Much Ado About … Cybersecurity

Posted in Agency Authority, Constitutional Issues in Regulations

“Executive Orders” will never be confused with Shakespeare, but they are often worth reading for political theater.  The real question is not their literary or entertainment value, but what they really do.  President Obama’s (aka POTUS) recent Executive Order 13,636: Improving Critical Infrastructure Cybersecurity provides a good example of what an executive order can and cannot do, and how an executive order can be used.  In the highly technical area of critical infrastructure cybersecurity, fraught with anonymous dangers, the powers the President exercises are not legal but managerial.

Much Ado …:  Say the word ‘cybersecurity,’ and the world is wide awake with a mix of desire and apprehension.  When POTUS said the word, experts like former Department of Homeland Security (DHS) Assistant Secretary for Policy Stewart Baker had useful things to say on Where Does the Cybersecurity Executive Order Hit and Miss the Mark?  More than twenty worthwhile postings from every corner of the Lexblog Network focused on aspects of Executive Order 13,636 within the past week.  A critical issue – and focus here – is what this executive order can actually do with non-Federal critical infrastructure cybersecurity.

Authority and Private Rights:  The general rule is that POTUS may not impose unilaterally obligations and liabilities on private parties.  The two largest caveats are required (and there are smaller ones):

  • POTUS may affect private rights and liabilities unilaterally within his Powers that flow directly from the Constitution (e.g. foreign affairs, to the extent not overwritten by statutory details that do not infringe).
  • Congress may authorize direct Presidential action, and delegate authority to the President as it may delegate to his agencies; and courts may imply authority for executive orders from statutes (including treaties).

The cybersecurity executive order recognizes POTUS’ limited authority, averring that it be implemented consistent with applicable law and subject to the availability of appropriations, and eschewing that it grants, alters, or limits agency authority granted under existing law, and contains the ubiquitous (or boilerplate) “creates no rights” clause.  This executive order, like most, is a management tool, no more.  Unfortunately, too many read more into such executive orders than is actually there, and the White House would like everyone to believe there is more.

YS&T:  Lawyers will remember from law school (and perhaps are trying to forget, but should not) Justice Jackson’s enduring formulation of Constitutional Power in the Youngstown Sheet & Tube v. Sawyer (aka the Steel Seizure Case):

1. When the President acts pursuant to an express or implied authorization of Congress, his authority is at its maximum, for it includes all that he possesses in his own right plus all that Congress can delegate.  ….

2. When the President acts in absence of either a congressional grant or denial of authority, he can only rely upon his own independent powers, but there is a zone of twilight in which he and Congress may have concurrent authority, or in which its distribution is uncertain.  ….

3. When the President takes measures incompatible with the expressed or implied will of Congress, his power is at its lowest ebb, for then he can rely only upon his own constitutional powers minus any constitutional powers of Congress over the matter.

In cybersecurity, the twilight zone abounds, for Congress has acted in small authorizations and appropriations without a coherent whole.

Regulatory Implications:  A daunting task assigns to the Department of Commerce (DOC)’s National Institutes of Standards and Technology (NIST) the development of a “Cybersecurity Framework” (“project manager” jargon for more jargon) to reduce cyber risks to critical infrastructure within one year, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible.”  The substantive heart of the executive order remains cloudy:

  1. When the Framework is published, agencies must determine if current regulations are sufficient given current and projected risks, and report whether they have clear authority to establish requirements based upon the Framework to sufficiently address current and projected cyber risks to critical infrastructure, identify the existing authorities, and suggest any additional required authority.
  2. If the current regulatory requirements are deemed insufficient, within another 90 days, agencies propose “prioritized, risk-based, efficient, and coordinated actions,” consistent with all of the regulatory review executive orders.
  3. Finally, within two years after publication of the Framework (i.e. three years from now), agencies, in consultation with owners and operators of critical infrastructure, report any critical infrastructure that is subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.

POTUS presumes that regulations will be necessary by requiring that actions be consistent with the regulatory review executive orders, but that depends on legislation that has not passed.  The retrospective review of current (+ three years) regulations’ effect on cybersecurity is delayed for three years.  This glacial pace seems to suggest that little or no groundwork has actually been accomplished, despite DHS’ efforts over the past decade, and this executive order’s germination for most of POTUS’ first term.  This extended projection for a retrospective review without a statutory base seems dubious and perhaps disingenuous.

Managing Discretion:  The ‘subject to applicable law and appropriations’ limitation is a hint at what agencies may and may not do – they may coordinate, consult, manage – even contract among each other under the Economy Act.  They may act within the bounds of their statutory discretion consistent with POTUS’ commands.  Managing discretion may be at the heart of the executive order, but the current dearth of legislative authorization (and the complex problem of limitations on information sharing roundly criticized) leaves far more questions unanswered and much the agencies may not do.

Inter-agency Expectations:  DHS – most prominent in the executive order – already operates the Protected Critical Infrastructure Program (PCII) under its organic statute, the Homeland Security Act of 2002.  Many other agencies – most prominently the Department of Defense (DOD) and the Department of Justice (DOJ) – have specific authorities and interests, and tension among the agencies has been significant, public, and problematic.  Perhaps the most important aspect of this executive order has nothing to do with law at all – but an attempt to settle Presidential appointees’ expectations and ambitions.

Signifying …:  Executive Order 13,636 claims no specific statutory premise – it relies on the Constitution and “laws” because Congress has not acted to grant the Executive or executive agents or agencies overall cybersecurity authority.  The executive order is stage-setting for if and when Congress does act and Congress may undo what POTUS’ has done.  POTUS may only be managing discretion and his subordinates, which does not require an executive order, and does not have legal effect, but the executive order signifies something more than nothing.