President Barack Obama will issue an executive order aimed at bolstering U.S. cybersecurity as soon as next week, according to two former White House officials briefed on the administration’s plans.
The executive order, expected to be released after Obama’s Feb. 12 State of the Union address, sets up a voluntary program of cybersecurity standards for companies operating vital U.S. infrastructure, according to the former officials, who asked to not be named because the order hasn’t been issued yet.
The administration has been drafting an executive order on computer security since at least last fall, before the Senate failed in its second attempt to pass Obama-backed legislation to create cyber standards for companies. Obama has said critical assets such as water-treatment plants and railway systems serving millions of people are vulnerable to hackers and need greater protection.
The administration is preparing the order amid recent cyber attacks including the security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other newspapers attributed to Chinese hackers, and denial-of-service attacks that disrupted websites of U.S. banks.
The order directs federal agencies to consider incorporating the cybersecurity standards into existing regulations, according to the officials. It directs the government to share more information about computer threats with the private sector and issue more security clearances allowing industry representatives to receive classified information, the officials said.
Caitlin Hayden, White House spokeswoman, declined to comment on the timing or substance of a potential executive order.
Administration officials including Homeland Security Secretary Janet Napolitano have continued to encourage lawmakers to act, saying only Congress has the authority to make statutory changes to improve cybersecurity.
By early March, Director of National Intelligence James Clapper is to release his annual assessment of threats to U.S. national security, which in recent years has pointed to the growing risks of cyber attacks against the U.S. and its allies.
Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, opposed the Obama-backed cybersecurity bill last year, saying voluntary standards would amount to de facto regulations that would burden industry and fail to keep pace with evolving computer threats.
House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, and the panel’s top Democrat, C.A. “Dutch” Ruppersberger of Maryland, said they will reintroduce a cybersecurity bill on Feb. 13. The measure, passed by the House last year, would give companies legal protections for sharing cyber threat information with each other and the government, and allow the government to provide classified threat data to the private sector.
“This is clearly not a theoretical threat -- the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear,” Rogers said in an e-mailed statement today. “We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats.”
The Obama administration last year threatened to veto Rogers’s bill, saying it wouldn’t shield the nation’s critical infrastructure or protect the privacy of consumer data that might be shared by companies.
In the Senate, Democratic committee leaders introduced a measure last month pledging to work together on cybersecurity in the new Congress. The measure says Congress should develop a public-private system to defend U.S. infrastructure and establish mechanisms for sharing cyber threat information.
The co-sponsors include Tom Carper of Delaware, chairman of the Homeland Security and Governmental Affairs Committee; Jay Rockefeller of West Virginia, head of the Senate Commerce Committee, and Dianne Feinstein of California, who leads the Senate Intelligence Committee. All three were sponsors of the bill blocked by Senate Republicans last year.
Obama in October signed a separate directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems.
The European Union announced its own cybersecurity plan yesterday, which could affect a wide swath of multinational companies that operate there.
According to the draft European Commission directive, banks, stock exchanges, hospitals and transportation companies would have to adopt more stringent network security standards in coordination with an appointed regulator in each member country. The directive would require critical infrastructure companies to tell regulators about significant cyber incidents and could require them to make a public disclosure.
That’s stricter than rules in the U.S., which don’t make companies disclose serious breaches unless they involve personal identifying information like Social Security numbers or credit card data. Even those requirements vary by state.
European disclosure requirements may affect U.S. companies with international operations, Stewart Baker, a former assistant secretary at the Department of Homeland Security, said in an e-mail.
“If and when adopted, it will be a game changer,” Baker said.
“It covers banks, aviation, and Internet companies, including cloud and e-commerce providers,” said Baker, who is now a partner at Steptoe & Johnson LLP in Washington. “If companies are required to report breaches in Europe, they won’t be able to avoid reporting breaches in the U.S. as well.”