My Brookings colleague Allan Friedman, a cybersecurity expert, sent me the following brief note following the State of the Union and the concurrent release of the president's executive order on cybersecurity:
Why use the executive, rather than relying on legislation? Congress has demonstrated ample interest in the topic of cybersecurity, but that's actually indicative of the problem. The last Congress held 61 hearings on cybersecurity. Over 100 bills were introduced in the last two four years.
The last time Congress actually passed a bill directly addressing cybersecurity issues? 2002.
The Federal Information Security Management Act of 2002 only applied to securing government systems. To put that in perspective, this bill predates DHS, which has the authority to safeguard civilian federal networks. As an added bonus, attempts to reform this somewhat outdated law have enjoyed support on both sides of the aisle in both the 111th and 112th congresses, and still failed to pass.
Thus, an executive order.