President Obama on Tuesday signed an executive order aimed at bolstering the cyber defenses of the country's critical infrastructure.
During his State of the Union address before Congress Tuesday evening, the president mentioned his recent signing of the executive order and called for Congress to take action to protect the nation's critical infrastructure from cyberattacks.
"We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," Obama said during his address. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
"That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy," he said. "Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks."
The need for bolstered cyber defenses has gained more attention over the past year after a rash of hacker attacks have hit major U.S. newspapers and the websites of U.S banks and federal agencies.
Senior administration officials frame the executive order as a way to continue the conversation on cyber-security policy and have stressed that, unlike legislation, the executive order cannot grant federal agencies and departments any new powers. For this reason, the administration has kept up its call for Congress to pass a comprehensive cyber-security bill because it says the cyber order is not a substitute for legislation.
"An executive order can only direct agencies to do something they already could have done under existing statutes," a senior administration official said on a conference call with reporters, noting that only legislation can grant companies liability protection from legal action if they are hit with a cyberattack.
The executive order directs the National Institute of Standards and Technology (NIST), which falls under the Commerce Department, to work with companies that operate critical infrastructure to develop a framework of cybersecurity best practices.
The framework will be technology-neutral and aimed at addressing security gaps in the computer networks of critical infrastructure, such as the electric grid, water plants and transportation networks.
A draft of version the framework is due in 240 days and the final version will be published within a year.
The administration official said the executive order is intended to give critical infrastructure operators flexibility in choosing the security technology they want to secure their networks.
The order would only apply to a subset of industries, the official said, because the order defines critical infrastructure as systems and assets vital to the U.S. that "that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
The cyber order gives the Department of Homeland Security (DHS) a lead role in establishing a voluntary program that encourages critical infrastructure operators to adopt the NIST and industry-developed cybersecurity framework, which is aimed at beefing up the security of their computer systems and networks. DHS will work with agencies, such as the Department of Energy, and industry councils to implement the cybersecurity best practices laid out in the framework, as well as identify possible ways to entice companies to join the voluntary program.
The administration official declined to provide examples of incentives the government could propose.
It also calls for federal agencies to review their existing cybersecurity rules to determine if they are up to par with the cybersecurity framework— a measure that could receive pushback from industry in the coming days. Agencies will review their existing cybersecurity regulations and, upon consultation with the companies they regulate, determine if they need to adopt new rules based on the framework. They will also determine whether they need to eliminate duplicative or outdated regulations that are no longer effective.
Agencies will only propose updated cybersecurity rules if they conclude that their existing regulations are not at the level of the framework, the official said.
The executive order is also aimed at increasing the pool of eligible companies that can receive classified cyber-threat information from the government, such as critical infrastructure operators or commercial service providers that deliver security services to critical infrastructure. The order also requires federal agencies to produce unclassified reports about cyberthreats to U.S. companies in a timely manner, as well as classified reports to authorized critical infrastructure operators.
The executive order also makes clear that agencies are required to implement privacy and civil liberties protections into their cyber activities, according to existing privacy principles and frameworks. Agencies are also required review the privacy and civil liberties impact of their work and publicly release those assessments.
Those privacy-focused measures won approval from the American Civil Liberties Union (ACLU).
"The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties," Michelle Richardson, a legislative counsel for the ACLU, in a statement. "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."
The U.S. Chamber of Commerce, which has opposed new government cybersecurity mandates, called the executive action "unnecessary."
The business lobby "opposes the expansion or creation of new regulatory regimes," said Ann Beauchesne, vice president of national security and emergency preparedness arm at the Chamber, said in a statement.
"If the proposed cybersecurity program is to counter major threats to U.S. security, it needs to operate in a manner that is fast, flexible, and innovative — just like our adversaries," Beauchesne said.
“The Chamber also urges the administration to signal to Congress its support for industry-backed information-sharing legislation, full liability protections, and other narrowly tailored measures to help businesses improve the protection and resilience of their information systems,” she added.
Republican lawmakers have urged the White House to abandon its executive order and let Congress take the reins on passing cybersecurity legislation. In a statement, a trio of GOP senators called for the Senate to pass a bill through regular order this year.
“The president’s executive order cannot achieve the balanced approach that must be accomplished collaboratively through legislation and with the support of the American people. We will closely examine the executive order and ensure that there is thorough congressional oversight of any action it directs," Sens. John McCain (R-Ariz.), John Thune (R-S.D.) and Saxby Chambliss (R-Ga.) said in a joint statement.
"As the 113th Congress gets underway, the Senate should follow regular order and craft legislation that will have an immediate impact on our nation’s cybersecurity without adding or prompting regulations that could discourage innovation and negatively impact our struggling economy," they said
Rep. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, also called for legislation, but lauded the president for signing the executive order.
"Though we all recognize that legislation will still be required to provide the strongest mechanisms for securing critical infrastructure, I commend President Obama for taking this important step towards improving our nation’s cybersecurity," Thompson said in a statement.
On Tuesday, the administration also issued a presidential policy directive on critical infrastructure security and resilience that updated a 2003 version of the directive.