President Barack Obama's administration is drafting an executiveorder that would create a program protecting vital computernetworks from cyber attacks, according to two former governmentofficials with direct knowledge of the effort.

The program, to be managed by the Department of HomelandSecurity, would establish cybersecurity standards that companiescould voluntarily adopt to better protect banks, telecommunicationnetworks and the U.S. power grid from electronic attacks, theofficials, who have seen the draft, said on condition of anonymitybecause the document hasn't been made public.

The draft, which remains under review and could change, seeks toimplement a key provision in a cybersecurity bill that failed toadvance in the Senate last month, the officials said. Theadministration is contemplating using an executive order because itisn't clear Congress would pass a cybersecurity bill.

“An executive order is one of a number of measures we'reconsidering as we look to implement the president's direction to doabsolutely everything we can to better protect our nation againsttoday's cyberthreats,” White House spokeswoman Caitlin Hayden saidin an e-mailed statement today. “We are not going to comment onongoing internal deliberations.”

The draft calls for the Department of Homeland Security tocreate a council that would work with the National Institute ofStandards and Technology to establish the cybersecurity standards,the officials said.

The Senate bill offered companies incentives, such as legalprotections, for participating in the cybersecurity program andmeeting government-approved standards.

Administration officials are discussing what kind of incentivescould be offered through the executive order, one of the officialssaid.

While the program contemplated in the draft order would bevoluntary, the Homeland Security Department would require companiesparticipating in it to submit reports describing how they areprotecting their networks, the official said.

The lack of incentives and the requirement for reports couldundermine the willingness of companies to participate in theprogram, the official added.

John Brennan, Obama's counterterrorism adviser, said on Aug. 8the administration would consider taking executive action toprotect computer networks.

“If the Congress is not going to act on something like this,then the president wants to make sure that we're doing everythingpossible,” Brennan said.

'Under Threat'

Senate Republicans and business groups including the U.S.Chamber of Commerce blocked the cybersecurity bill. They said thevoluntary standards would be a back door to government regulationof companies. The bill was sponsored by Senators Joe Lieberman, aConnecticut independent, and Susan Collins, a Maine Republican.

Brennan said opponents misrepresented the bill, which he saidcalled for minimum performance standards.

“Believe me, the critical infrastructure of this country isunder threat,” Brennan said, adding that foreign states and hackers“are developing advanced technologies, and we have to improve ourdefenses on this issue.”

Obama could accomplish many objectives of the Lieberman-Collinsbill with an executive order or other directive, Stewart Baker, aformer assistant secretary for policy at the Department of HomelandSecurity, said in an interview last month.

The president could encourage operators of key facilities toadopt voluntary standards, have the Homeland Security Departmentcoordinate that process and require existing regulators thatoversee infrastructure to make cybersecurity a focus, said Baker,now a partner at the Steptoe & Johnson law firm inWashington.

Matthew Eggers, senior director of national security at theChamber of Commerce, has said an executive order would becounterproductive and would show the administration wants toregulate cybersecurity.

The Obama administration is already circulating a draftpresidential directive dealing with a related issue: collecting anddisseminating information about cybersecurity threats. Thatreflects “early” discussions about how to update a 2003 directivefor protecting the most critical U.S. assets and “is not close tobeing done,” Hayden said on Aug. 29.

DHS Authority

One issue that the proposed directive didn't clearly explain ishow much authority DHS would have to tell businesses what they mustdo to protect their computer systems from attack. The document saysonly that the department would plan “requirements for vulnerabilityand risk assessments.”

Presidential directives typically address national security orforeign policy matters. They are issued by the National SecurityCouncil and may be classified. The directives carry the same weightas executive orders, which deal with management and operations ofthe executive branch.

The Republican-controlled House of Representatives passed a billin April that encourages businesses and government to sharecyberthreat information, without setting standards forcompanies.

White House spokesman Jay Carney called the House bill “deeplyflawed,” saying it threatens the privacy of consumer data and doesnothing to protect the nation's infrastructure.

Lieberman's bill is S. 3414. The House bill is H.R. 3523.

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.