President Obama walks outside the White House in Washington, D.C., on Feb. 12. (Saul Loeb / AFP via Getty Images)
President Obama on Tuesday ordered agencies to share more classified and unclassified cyber threat information with companies that operate systems critical to the nation, such as electric grids and water treatment facilities. He also called for the creation of security standards those companies could voluntarily adopt to protect their systems from cyberattacks.
The executive order follows Congress’ failed attempts last fall to pass comprehensive cybersecurity legislation. In his State of the Union speech Tuesday, Obama said the White House was forced to take action because increasing cyber threats could potentially disrupt national security.
“But now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” Obama said.
The executive order will not replace needed legislation, primarily because an executive order cannot provide liability protections for companies that adopt security standards but suffer an attack, one senior official told reporters.
The order does lay the groundwork for what could become mandatory standards for currently regulated industries and companies seeking to do business with the government.
Lawmakers of both parties recognized the limits of the executive order.
Sen. Tom Carper, D-Del., called the executive order an important first step but said legislation is the best long-term solution. Carper plans to hold a hearing on the executive order in the coming weeks.
Sens. John McCain, R-Ariz., Saxby Chambliss, R-Ga., and John Thune, R-S.D., said in a joint statement the executive order “is unable to provide liability protections.” They also voiced concern that the order will increase regulations and impede information sharing.
Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger, D-Md., plan to reintroduce cyber legislation Wednesday.
The Cyber Intelligence Sharing and Protection Act, passed by the House in the last congressional session, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Under the bill, HR 624, companies that share information or protect their networks would be granted legal protections if they’re subject to a cyberattack.
Shawn Osborne, president and CEO of the trade group TechAmerica, called the order “a prudent step forward and, hopefully, a catalyst to Congress finding common ground on the issues.”
The order and accompanying cybersecurity policy detail the government’s role in enhancing the nation’s cybersecurity:
The Commerce Department’s National Institute of Standards and Technology will publish a draft cybersecurity framework by October. The framework will include voluntary security standards for critical infrastructure companies, based on best practices and industry input. NIST will work with the Department of Homeland Security to publish a final version of the framework within a year.
DHS will create a program to support voluntary adoption of the standards. By June, DHS, in coordination with the Treasury and Commerce departments, must recommend incentives to entice private-sector involvement in the program.
DHS will identify companies that control the most critical infrastructures, the target audience for the voluntary program.
The Defense Industrial Base Information Sharing Program will be expanded to include more critical infrastructure companies. Under the program, government and industry share classified threat information, including software code used to determine malware.
By June, the Defense Department and General Services Administration will recommend the feasibility and benefits of incorporating security standards into federal contracts and acquisition planning and whether those standards are consistent with existing procurement requirements.
Agencies are directed to regularly assess the privacy and civil liberties impacts of their activities and share that information with the public.
For sectors currently regulated by the federal government, such as the chemical and nuclear sectors, security standards could become mandatory.
The executive order directs regulatory agencies to assess whether their current cybersecurity regulations are sufficient. “If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the cybersecurity framework and in consultation with their regulated companies,” the White House said.
Administration officials would not say what legal or financial ramifications regulated companies could face if they did not comply with potentially new standards.