Late Tuesday, President Obama signed an executive order on cybersecurity that offers industry more carrots than sticks to lay the groundwork for eventually mandating security standards and corresponding privacy protections.
The long-awaited order and accompanying policy directive, which Obama signed before delivering his State of the Union address, call for the Homeland Security Department to lead a voluntary public-private approach to securing private networks.
"America must face the rapidly growing threat from cyberattacks," Obama said in Tuesday's address. "We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Until Congress authorizes new powers, the administration cannot force businesses to shield their computers or disclose computer breaches, which experts say are key to stopping intrusions by increasingly sophisticated actors and hostile nations. The thinking behind the executive order is that taking one year to achieve consensus with industry on voluntary information-sharing and security controls will enable new laws to immediately take effect, whenever Congress acts.
The measures allow operators of critical infrastructure networks to see classified intelligence on detected threats. This move expands a program that had been exclusive to defense contractors to power plants, water treatment facilities and other vital businesses that, if disrupted, would upend national or economic security. The guidelines also task the National Institute of Standards and Technology -- which has a good rapport with industry -- to co-develop cyber controls for those sectors. Under Tuesday’s directives, the government will align a framework of standards, methodologies, procedures and processes to "reduce cyber risks to critical infrastructure."
It is unclear how many companies will choose to participate in the new initiative. Part of the reason lawmakers have not passed even voluntary cyber reforms is that businesses and many Republicans fear optional measures eventually could become mandatory.
The executive order did not allay those fears. While pleased the order grants DHS significant oversight, the Republican head of the House Homeland Security Committee expressed misgivings about the policy’s potential for mission creep.
“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyber threats. Our first priority must be ‘do no harm,’ ” Committee Chairman Rep. John McCaul, R-Texas, said in a statement.
The White House guidelines direct agencies to look for financial incentives as well as penalties within current statutes that they might leverage against companies to promote compliance. To give this teeth, the order encourages market forces to work and asks agencies to review existing regulations as backstop, a senior administration official said during a call with reporters on Tuesday evening.
The order overlooks the Pentagon's recently-announced plans to deploy a military force within U.S. Cyber Command that would be charged with protecting domestic critical networks against adversaries.
Under Tuesday's guidelines, the Defense Department is treated like any other agency that regulates a certain economic sector. The departments of Treasury, Energy and various other federal organizations will be working with DHS and NIST to develop the security controls.
An administration official said the policies are meant to hit all the bases governmentwide, since no single player has all of the answers.
The measures assign DHS Secretary Janet Napolitano to "provide strategic guidance, promote a national unity of effort, and coordinate the overall federal effort to promote the security and resilience of the nation's critical infrastructure."
Implications for Federal Contracts
Within three months, DHS, the General Services Administration and the Pentagon are expected to weigh the merits of denying federal contracts to vendors that do not sign up for the program, as well as offer up other inducements.
Under the new dictate, agencies are supposed to produce an "analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the program." Agencies must consider the feasibility of "incorporating security standards into acquisition planning and contract administration,” the policies state.
A privacy section in the documents outlines steps agencies must take to protect personal information while carrying out these activities. When private sector information is collected and shared with the government, concerns often arise that customer information will be exposed or abused. The House is anticipated to introduce a bill on Wednesday that has sparked these sorts of fears among privacy groups. As a result, American Civil Liberties Union leaders say they endorse the executive order.
“Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information," ACLU Legislative Counsel Michelle Richardson said in a statement. "If new information sharing authorities are granted—especially the overbroad ones being pondered by the House—these principles will be more important than ever.”
Agencies will have a year to compile a public report on how they will minimize privacy risks. The documents state, "Information submitted voluntarily" by private companies as part of the program will be "protected from disclosure to the fullest extent permitted by law."
Privacy concerns, as well as well as worries about companies being held liable for computer breaches they report, are among the factors that have paralyzed passage of legislation.
Limits of the Executive Order
On Tuesday evening, Obama administration officials and the House’s Republican cyber legislation coordinator said an executive order is insufficient to protect the United States from a violent attack.
“No executive order can possibly do what needs to be done to protect our networks and our nation. It also cannot take the place of legislation. Strengthening cybersecurity must be collaborative and bipartisan," Rep. Mac Thornberry, R-Texas, vice chairman of the House Armed Services Committee, said in a statement.
An administration official said during the phone briefing, “This does not eliminate the need for legislation.”
Likewise, in one of his last speeches as Defense Secretary, last week Leon Panetta said, "We've asked for legislation from the Congress to try to give us the tools we need -- the legal tools we need so that we can develop a partnership with the private sector to be able to confront these challenges" in cyberspace and, “That's an important step to trying to be able to defend this country from those nations that would use a cyberattack to weaken us."