Obama’s cyber executive order lays foundation for mandatory regulations

President Obama delivers his state of the union address Tuesday night.

President Obama delivers his state of the union address Tuesday night. Charles Dharapak/AP

The directive expands to all critical sectors a Defense Department program that shares classified threat intelligence.

Late Tuesday, President Obama signed an executive order on cybersecurity that offers industry more carrots than sticks to lay the groundwork for eventually mandating security standards and corresponding privacy protections.

The long-awaited order and accompanying policy directive, which Obama signed before delivering his State of the Union address, call for the Homeland Security Department to lead a voluntary public-private approach to securing private networks.

"America must face the rapidly growing threat from cyberattacks," Obama said in Tuesday's address. "We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." 

Until Congress authorizes new powers, the administration cannot force businesses to shield their computers or disclose computer breaches, which experts say are key to stopping intrusions by increasingly sophisticated actors and hostile nations. The thinking behind the executive order is that taking one year to achieve consensus with industry on voluntary information-sharing and security controls will enable new laws to immediately take effect, whenever Congress acts.

The measures allow operators of critical infrastructure networks to see classified intelligence on detected threats. This move expands a program that had been exclusive to defense contractors to power plants, water treatment facilities and other vital businesses that, if disrupted, would upend national or economic security. The guidelines also task the National Institute of Standards and Technology -- which has a good rapport with industry -- to co-develop cyber controls for those sectors. Under Tuesday’s directives, the government will align a framework of standards, methodologies, procedures and processes to "reduce cyber risks to critical infrastructure."

It is unclear how many companies will choose to participate in the new initiative. Part of the reason lawmakers have not passed even voluntary cyber reforms is that businesses and many Republicans fear optional measures eventually could become mandatory.

The executive order did not allay those fears. While pleased the order grants DHS significant oversight, the Republican head of the House Homeland Security Committee expressed misgivings about the policy’s potential for mission creep.

“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyber threats. Our first priority must be ‘do no harm,’ ” Committee Chairman Rep. John McCaul, R-Texas, said in a statement. 

The White House guidelines direct agencies to look for financial incentives as well as penalties within current statutes that they might leverage against companies to promote compliance. To give this teeth, the order encourages market forces to work and asks agencies to review existing regulations as backstop, a senior administration official said during a call with reporters on Tuesday evening. 

The order overlooks the Pentagon's recently-announced plans to deploy a military force within U.S. Cyber Command that would be charged with protecting domestic critical networks against adversaries. 

Under Tuesday's guidelines, the Defense Department is treated like any other agency that regulates a certain economic sector. The departments of Treasury, Energy and various other federal organizations will be working with DHS and NIST to develop the security controls.

An administration official said the policies are meant to hit all the bases governmentwide, since no single player has all of the answers.

The measures assign DHS Secretary Janet Napolitano to "provide strategic guidance, promote a national unity of effort, and coordinate the overall federal effort to promote the security and resilience of the nation's critical infrastructure."

Implications for Federal Contracts

Within three months, DHS, the General Services Administration and the Pentagon are expected to weigh the merits of denying federal contracts to vendors that do not sign up for the program, as well as offer up other inducements.

Under the new dictate, agencies are supposed to produce an "analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the program."  Agencies must consider the feasibility of "incorporating security standards into acquisition planning and contract administration,” the policies state.

A privacy section in the documents outlines steps agencies must take to protect personal information while carrying out these activities. When private sector information is collected and shared with the government, concerns often arise that customer information will be exposed or abused. The House is anticipated to introduce a bill on Wednesday that has sparked these sorts of fears among privacy groups. As a result, American Civil Liberties Union leaders say they endorse the executive order.

“Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information," ACLU Legislative Counsel Michelle Richardson said in a statement. "If new information sharing authorities are granted—especially the overbroad ones being pondered by the House—these principles will be more important than ever.”

Agencies will have a year to compile a public report on how they will minimize privacy risks. The documents state, "Information submitted voluntarily" by private companies as part of the program will be "protected from disclosure to the fullest extent permitted by law."

Privacy concerns, as well as well as worries about companies being held liable for computer breaches they report, are among the factors that have paralyzed passage of legislation.  

Limits of the Executive Order

On Tuesday evening, Obama administration officials and the House’s Republican cyber legislation coordinator said an executive order is insufficient to protect the United States from a violent attack. 

“No executive order can possibly do what needs to be done to protect our networks and our nation.  It also cannot take the place of legislation. Strengthening cybersecurity must be collaborative and bipartisan," Rep. Mac Thornberry, R-Texas, vice chairman of the House Armed Services Committee, said in a statement.

An administration official said during the phone briefing, “This does not eliminate the need for legislation.”

Likewise, in one of his last speeches as Defense Secretary, last week Leon Panetta said, "We've asked for legislation from the Congress to try to give us the tools we need -- the legal tools we need so that we can develop a partnership with the private sector to be able to confront these challenges" in cyberspace and, “That's an important step to trying to be able to defend this country from those nations that would use a cyberattack to weaken us." 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.