The Obama administration is drafting an executive order that would direct agencies to share cyber threat information with companies operating critical infrastructure, the Associated Press reported over the weekend.
A draft executive order, which was not dated, directs the Department of Homeland Security to work with the Pentagon, National Security Agency and others to develop a means by which companies could quickly be informed of known cyber threats, the AP reported. Companies could better protect against threats, based on the warnings from the government.
The draft order also includes language asking companies to share information with government about cyber threats and attacks, but it would not mandate that they do so. The draft order would also establish a voluntary program for companies to adopt better cybersecurity practices.
Clete Johnson, professional staff and counsel for the Senate Select Committee on Intelligence, said he hasn’t seen the draft order and doubts anyone in Congress has either. But if the order addresses information sharing, it likely will focus more on the government sharing information with the private sector, he said. There may be provisions about companies sharing cyber information with each other and with the government, but there isn’t much an executive order can do to force that, he said.
Michael Seeds, legislative director for Rep. Mac Thornberry, R-Texas, said the government could expand on an existing program, called the Defense Industrial Base Cyber Security and Information Assurance program, that allows defense contractors to share information with the Defense Department. The program began as a pilot in 2011 with some 20 volunteering companies. DoD expects the program will enable more than 2,650 defense contractors to exchange classified and unclassified cyber information with the government.
In August, Sen. Jay Rockefeller, D-W.Va., a senior member on the Senate Select Committee on Intelligence, pressed President Obama in a letter to “explore and employ every lever of executive power that you possess to protect this country from the cyber threat.”
Rockefeller co-sponsored the Cybersecurity Act, S 3414, which failed to pass in the Senate. The bill would have set voluntary standards for companies operating critical infrastructure, such as the electric grid, water treatment facilities and transportation systems.
“Everything that can be done in the statute ... can be done in the executive order, with the exception of three things,” Johnson said.
The order could not provide legal liability protections for companies that meet voluntary cybersecurity standards, but are the victims of cyber attacks. It also could not ensure that private-sector leaders are involved in deciding voluntary cyber standards. And it could not explicitly forbid the government from telling companies how to implement cybersecurity, Johnson said.
Some experts say they are hopeful the executive order may lay the groundwork for cyber legislation in the future.
“It’s a new reference point that could shake things up a little bit,” said Johnson, who spoke Monday at a Washington cybersecurity conference. He added the executive order could take Congress in one of two directions. Once signed, lawmakers could decide it is sufficient for the time being and fill in gaps with legislation, or they could decide the executive order is not sufficient and be more willing to compromise on some issues and speed passage of legislation.
“All we want to do is get this done, and get it done right,” Johnson said.
White House efforts follow the Senate’s failed attempt in August to pass cybersecurity legislation that would have created voluntary security standards for companies operating the nation’s critical infrastructure.
Last week, administration officials updated industry representatives on how they are developing the executive order, said Trey Hodgkins, senior vice president of global public-sector government affairs at TechAmerica.
The White House has not said when the order will be released, but Hodgkins said, based on the meeting, the order does not seem close to being finalized.
The White House declined to comment on the order or say when the president will sign it.