recommended reading

Obama’s cyber executive order lays foundation for mandatory regulations

President Obama delivers his state of the union address Tuesday night.

President Obama delivers his state of the union address Tuesday night. // Charles Dharapak/AP

Late Tuesday, President Obama signed an executive order on cybersecurity that offers industry more carrots than sticks to lay the groundwork for eventually mandating security standards and corresponding privacy protections.

The long-awaited order and accompanying policy directive, which Obama signed before delivering his State of the Union address, call for the Homeland Security Department to lead a voluntary public-private approach to securing private networks.

"America must face the rapidly growing threat from cyberattacks," Obama said in Tuesday's address. "We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." 

Until Congress authorizes new powers, the administration cannot force businesses to shield their computers or disclose computer breaches, which experts say are key to stopping intrusions by increasingly sophisticated actors and hostile nations. The thinking behind the executive order is that taking one year to achieve consensus with industry on voluntary information-sharing and security controls will enable new laws to immediately take effect, whenever Congress acts.

The measures allow operators of critical infrastructure networks to see classified intelligence on detected threats. This move expands a program that had been exclusive to defense contractors to power plants, water treatment facilities and other vital businesses that, if disrupted, would upend national or economic security. The guidelines also task the National Institute of Standards and Technology -- which has a good rapport with industry -- to co-develop cyber controls for those sectors. Under Tuesday’s directives, the government will align a framework of standards, methodologies, procedures and processes to "reduce cyber risks to critical infrastructure."

It is unclear how many companies will choose to participate in the new initiative. Part of the reason lawmakers have not passed even voluntary cyber reforms is that businesses and many Republicans fear optional measures eventually could become mandatory.

The executive order did not allay those fears. While pleased the order grants DHS significant oversight, the Republican head of the House Homeland Security Committee expressed misgivings about the policy’s potential for mission creep.

“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyber threats. Our first priority must be ‘do no harm,’ ” Committee Chairman Rep. John McCaul, R-Texas, said in a statement. 

The White House guidelines direct agencies to look for financial incentives as well as penalties within current statutes that they might leverage against companies to promote compliance. To give this teeth, the order encourages market forces to work and asks agencies to review existing regulations as backstop, a senior administration official said during a call with reporters on Tuesday evening. 

The order overlooks the Pentagon's recently-announced plans to deploy a military force within U.S. Cyber Command that would be charged with protecting domestic critical networks against adversaries. 

Under Tuesday's guidelines, the Defense Department is treated like any other agency that regulates a certain economic sector. The departments of Treasury, Energy and various other federal organizations will be working with DHS and NIST to develop the security controls.

An administration official said the policies are meant to hit all the bases governmentwide, since no single player has all of the answers.

The measures assign DHS Secretary Janet Napolitano to "provide strategic guidance, promote a national unity of effort, and coordinate the overall federal effort to promote the security and resilience of the nation's critical infrastructure."

Implications for Federal Contracts

Within three months, DHS, the General Services Administration and the Pentagon are expected to weigh the merits of denying federal contracts to vendors that do not sign up for the program, as well as offer up other inducements.

Under the new dictate, agencies are supposed to produce an "analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the program."  Agencies must consider the feasibility of "incorporating security standards into acquisition planning and contract administration,” the policies state.

A privacy section in the documents outlines steps agencies must take to protect personal information while carrying out these activities. When private sector information is collected and shared with the government, concerns often arise that customer information will be exposed or abused. The House is anticipated to introduce a bill on Wednesday that has sparked these sorts of fears among privacy groups. As a result, American Civil Liberties Union leaders say they endorse the executive order.

“Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information," ACLU Legislative Counsel Michelle Richardson said in a statement. "If new information sharing authorities are granted—especially the overbroad ones being pondered by the House—these principles will be more important than ever.”

Agencies will have a year to compile a public report on how they will minimize privacy risks. The documents state, "Information submitted voluntarily" by private companies as part of the program will be "protected from disclosure to the fullest extent permitted by law."

Privacy concerns, as well as well as worries about companies being held liable for computer breaches they report, are among the factors that have paralyzed passage of legislation.  

Limits of the Executive Order

On Tuesday evening, Obama administration officials and the House’s Republican cyber legislation coordinator said an executive order is insufficient to protect the United States from a violent attack. 

“No executive order can possibly do what needs to be done to protect our networks and our nation.  It also cannot take the place of legislation. Strengthening cybersecurity must be collaborative and bipartisan," Rep. Mac Thornberry, R-Texas, vice chairman of the House Armed Services Committee, said in a statement.

An administration official said during the phone briefing, “This does not eliminate the need for legislation.”

Likewise, in one of his last speeches as Defense Secretary, last week Leon Panetta said, "We've asked for legislation from the Congress to try to give us the tools we need -- the legal tools we need so that we can develop a partnership with the private sector to be able to confront these challenges" in cyberspace and, “That's an important step to trying to be able to defend this country from those nations that would use a cyberattack to weaken us." 

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.