Obama Orders Cybersecurity Standards for Infrastructure

President Barack Obama bypassed Congress and issued an executive order to boost U.S. cybersecurity while telling lawmakers they still must act to further strengthen the nation’s computer defenses.

The order, released yesterday as Obama began his State of the Union speech, directs the government to develop voluntary cybersecurity standards for companies operating the nation’s vital infrastructure, such as power grids and air traffic control systems. It instructs federal agencies to consider putting those standards into existing regulations.

“It’s a good first step,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute. “It’s not a substitute for legislation.” Unless the president offers incentives to get companies to be more aggressive about cybersecurity, “it can only take us so far,” said Cilluffo, a former special assistant to President George W. Bush for homeland security.

Obama has said infrastructure such as nuclear plants and railway systems that serve millions of people are vulnerable to hacking and require greater protection. The administration has been drafting the executive order for months, seeking to implement some provisions of proposed Senate legislation blocked by Republicans last year. Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, said the bill’s standards would amount to burdensome regulation.

New Attacks

By allowing U.S. agencies to require companies to comply with stronger cybersecurity standards, the executive order creates “the worst-case scenario for organizations that fought efforts to pass cybersecurity legislation,” Afzal Bari, a Bloomberg Government analyst, said in a note today.

Cybersecurity has gained renewed national attention in recent weeks with revelations about a security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other news organizations attributed to Chinese hackers, and a wave of denial-of-service attacks that disrupted the websites of U.S. banks.

“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air-traffic-control systems.”

The executive order “will strengthen our cyber defenses,” Obama said, adding that Congress should now pass legislation to “give our government a greater capacity to secure our networks and deter attacks.”

Security Companies

Network security companies including Sourcefire Inc., Fortinet Inc., and Palo Alto Networks Inc., may benefit from the creation of new cybersecurity standards under the executive order, Walter Pritchard, an analyst with Citigroup Inc., wrote in a research note today. At the same time, he said the total effect on technology spending may be minimal.

“We’ve seen many attempts to drive increased focus on cyber security through federal government initiatives,” Pritchard said. “While well intentioned, they have generally had little impact on spending on IT security products and we believe this will be the case again here.”

The executive order directs the National Institute of Standards and Technology, part of the U.S. Commerce Department, to develop cybersecurity standards for infrastructure companies. The Homeland Security Department will then work with federal agencies and industry on a voluntary program for companies to adopt the standards.

Legal Barriers

The order also expands a government program for sharing classified threat data with defense contractors and Internet-service providers to include infrastructure owners and the companies that provide them with network security.

Legislation is needed to remove legal barriers that discourage industry from telling the government about computer intrusions and to provide incentives for companies to adopt cybersecurity standards, General Keith Alexander, director of the National Security Agency and U.S. Cyber Command, said at a Commerce Department briefing in Washington today.

The government has “blind spots” with cybersecurity, Alexander said. “With so much of the critical infrastructure owned and operated by the private sector, the government is often unaware of malicious activity targeting our critical infrastructure.”

Banks, Utilities

Obama can’t give companies legal immunity for exchanging cyber-threat information with each other or with the government, said Mary Ellen Callahan, a partner in Washington with the Jenner & Block law firm and a former chief privacy officer with the Homeland Security Department. Some companies are concerned about antitrust and other restrictions on exchanging data, she said in an interview.

The president’s action “provides important direction to the public sector on the need to share information associated with threats to our critical infrastructures,” Frank Keating, chief executive officer of the American Bankers Association, said in an e-mailed statement.

The Edison Electric Institute, which represents investor-owned utilities including Southern Co. of Atlanta and Exelon Corp. of Chicago, called the order an important step while saying congressional action is needed to improve information sharing on cyber threats.

House Bill

House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, and the panel’s top Democrat, C.A. “Dutch” Ruppersberger of Maryland, reintroduced a cybersecurity bill today. The measure, which passed the House last year, offers legal protection for companies that share cyber-threat information with each other and the government, and makes it easier for the government to pass classified threat data to the private sector.

The Rogers-Ruppersberger bill, which doesn’t impose or suggest standards for companies, earned a veto threat last year from the Obama administration, which said it didn’t do enough to protect critical infrastructure or the privacy of personal data that might be shared by companies.

Obama’s executive order is “not perfect but we are excited about the opportunity to work with the president and fill in the gaps,” Rogers said at a news conference in Washington today. “We’ve had some great discussions with the White House.”

The American Civil Liberties Union opposes the Rogers bill, which “allows companies to share sensitive and personal American Internet data with the government, including the National Security Agency and other military agencies,” Michelle Richardson, ACLU legislative counsel, said in an e-mail.

The executive order’s information-sharing provisions “don’t negatively impact civil liberties,” Richardson said.

Before it's here, it's on the Bloomberg Terminal.