President Barack Obama might create a broad new program to protect vital government and private computer networks from cyber attacks, according to a draft document being circulated in his administration.
The government would continuously collect and disseminate information about cybersecurity threats in a new approach to combating attacks, according to the document. The administration is weighing taking action instead of waiting for Congress to pass cybersecurity legislation.
The draft represents “early” discussions about how to update a 2003 presidential directive for protecting the most critical U.S. assets and “is not close to being done,” White House spokeswoman Caitlin Hayden said in an e-mailed statement yesterday.
The administration and Congress have spent much of the past year discussing ways to prevent cyber attacks that could cripple U.S. telecommunication networks, banks, pipelines and electric grids. The Senate failed to advance comprehensive cybersecurity legislation backed by the administration after Republicans objected it would be too costly and burdensome for companies.
“If the Congress is not going to act on something like this, then the president wants to make sure that we’re doing everything possible,” John Brennan, Obama’s counterterrorism adviser, said earlier this month.
The draft document outlines a vision for sharing information among the Homeland Security Department, Defense Department, U.S. intelligence agencies and companies that own or operate critical computer networks.
The Department of Homeland Security would be in charge of defending federal, non-military networks and would coordinate efforts to protect private-sector networks, according to the draft.
One issue that the draft doesn’t clearly explain is how much authority DHS would have to tell businesses what they must do to protect their computer systems from attack. The document says only that the department would plan “requirements for vulnerability and risk assessments.”
Two coordination centers would be created within DHS, one for physical assets and another for cybersecurity. “Together, these centers shall be the federal government’s focal point for situational awareness and actionable information to protect the physical and cyber aspects of critical infrastructures,” according to the draft.
The goal would be to have “a near-real-time common operating picture” for threats to critical infrastructure and “strong cooperation” between the government and companies, especially energy and communications companies, according to the document.
The Obama administration also is considering issuing more stringent cybersecurity requirements through an executive order, Hayden said.
Presidential directives typically address national security or foreign policy matters. They are issued by the National Security Council and may be classified. The directives carry the same weight as executive orders, which deal with management and operations of the executive branch.
Senate Intelligence Committee Chairwoman Dianne Feinstein, a California Democrat, has said the administration should issue a cybersecurity order.
“While an executive order cannot convey protection from liability that private sector companies may face, your administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security,” Feinstein wrote in an Aug. 28 letter to Obama.
“You can also direct the intelligence community and the Department of Homeland Security to provide as much information as possible to the private sector about cyber threats, including classified information,” she wrote
The Senate bill number is S. 3414.
To contact the reporter on this story: Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Katherine Rizzo at email@example.com