President Barack Obama’s administration is drafting an executive order that would create a program protecting vital computer networks from cyber attacks, according to two former government officials with direct knowledge of the effort.
The program, to be managed by the Department of Homeland Security, would establish cybersecurity standards that companies could voluntarily adopt to better protect banks, telecommunication networks and the U.S. power grid from electronic attacks, the officials, who have seen the draft, said on condition of anonymity because the document hasn’t been made public.
The draft, which remains under review and could change, seeks to implement a key provision in a cybersecurity bill that failed to advance in the Senate last month, the officials said. The administration is contemplating using an executive order because it isn’t clear Congress would pass a cybersecurity bill.
“An executive order is one of a number of measures we’re considering as we look to implement the president’s direction to do absolutely everything we can to better protect our nation against today’s cyberthreats,” White House spokeswoman Caitlin Hayden said in an e-mailed statement today. “We are not going to comment on ongoing internal deliberations.”
The draft calls for the Department of Homeland Security to create a council that would work with the National Institute of Standards and Technology to establish the cybersecurity standards, the officials said.
The Senate bill offered companies incentives, such as legal protections, for participating in the cybersecurity program and meeting government-approved standards.
Administration officials are discussing what kind of incentives could be offered through the executive order, one of the officials said.
While the program contemplated in the draft order would be voluntary, the Homeland Security Department would require companies participating in it to submit reports describing how they are protecting their networks, the official said.
The lack of incentives and the requirement for reports could undermine the willingness of companies to participate in the program, the official added.
John Brennan, Obama’s counterterrorism adviser, said on Aug. 8 the administration would consider taking executive action to protect computer networks.
“If the Congress is not going to act on something like this, then the president wants to make sure that we’re doing everything possible,” Brennan said.
Senate Republicans and business groups including the U.S. Chamber of Commerce blocked the cybersecurity bill. They said the voluntary standards would be a back door to government regulation of companies. The bill was sponsored by Senators Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican.
Brennan said opponents misrepresented the bill, which he said called for minimum performance standards.
“Believe me, the critical infrastructure of this country is under threat,” Brennan said, adding that foreign states and hackers “are developing advanced technologies, and we have to improve our defenses on this issue.”
Obama could accomplish many objectives of the Lieberman-Collins bill with an executive order or other directive, Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, said in an interview last month.
The president could encourage operators of key facilities to adopt voluntary standards, have the Homeland Security Department coordinate that process and require existing regulators that oversee infrastructure to make cybersecurity a focus, said Baker, now a partner at the Steptoe & Johnson law firm in Washington.
Matthew Eggers, senior director of national security at the Chamber of Commerce, has said an executive order would be counterproductive and would show the administration wants to regulate cybersecurity.
The Obama administration is already circulating a draft presidential directive dealing with a related issue: collecting and disseminating information about cybersecurity threats. That reflects “early” discussions about how to update a 2003 directive for protecting the most critical U.S. assets and “is not close to being done,” Hayden said on Aug. 29.
One issue that the proposed directive didn’t clearly explain is how much authority DHS would have to tell businesses what they must do to protect their computer systems from attack. The document says only that the department would plan “requirements for vulnerability and risk assessments.”
Presidential directives typically address national security or foreign policy matters. They are issued by the National Security Council and may be classified. The directives carry the same weight as executive orders, which deal with management and operations of the executive branch.
The Republican-controlled House of Representatives passed a bill in April that encourages businesses and government to share cyberthreat information, without setting standards for companies.
White House spokesman Jay Carney called the House bill “deeply flawed,” saying it threatens the privacy of consumer data and does nothing to protect the nation’s infrastructure.
Lieberman’s bill is S. 3414. The House bill is H.R. 3523.