Since the summer, the White House has crafted an executive order aimed at thwarting cyberattacks against U.S. critical infrastructure, such as water plants, the electric grid and telecommunications networks. The Obama administration began drafting the order after Congress failed to pass cybersecurity legislation last year.
The White House was expected to issue the cyber order by the end of last year, but has yet to release it. Sen. Tom Carper (D-Del.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, said last week that the White House has signaled it will issue the order in the second half of February, after President Obama gives his State of the Union address.
The White House has been quiet about the delay in releasing the executive order. Ozment was also vague in his comments about whether the White House will issue the order and declined to comment on timing.
"Right now we're exploring ways for executive branch departments and agencies to more effectively secure the nation's critical infrastructure through sharing information and working collaboratively with the private sector to develop and implement better cybersecurity practices," he said.
The administration has met with several industry groups, think tanks and companies to get their feedback on what should and should not be included in the order. Ozment said the White House cybersecurity staff has met with roughly 200 companies and trade organizations over the past few months.
Industry groups, such as the influential U.S. Chamber of Commerce, have voiced opposition to legislation that would apply new cybersecurity regulations on businesses. They argue that cyber threats evolve rapidly and industry will be slow to respond to these threats if they have to comply with specific government regulations.
Ozment emphasized that the administration is only interested in developing best practices for companies that operate critical infrastructure, which is "a small sub-sector of the industry in the U.S."
Companies have made it clear they want the government to share more information about cyber threats with them so they can prevent future cyberattacks on their computer networks, he said.
"You're right. The government has to share more information with the private sector and we're working every day to improve that," Ozment said. "We are reviewing polices on notifying companies when we have information that they are potential victims of cyber intrusions. We're also looking at existing programs that provide threat information [to] protect systems before they are targeted."
However, Ozment argued that improved information sharing practices are not enough to protect U.S. critical infrastructure from a crippling cyberattack. While information sharing is important, he said it's also essential for critical infrastructure companies to follow a baseline set of cybersecurity practices.
"If you don't have basic [cybersecurity] hygiene, no amount of information sharing will protect your systems from determined adversaries," he said. "You cannot use this information unless you have the basic set of [cybersecurity] capabilities and practices."