By Jennifer Martinez - 11/30/12 11:02 PM EST
Among the changes, the White House has included language explicitly stating that its cybersecurity guidance does not prescribe one type of security technology over another, according to a copy of the draft order obtained by The Hill. It also states that "any commercial information technology products" should not be identified as criticial infrastructure "at greatest risk" for an attack.
"To enable technical innovation and account for organizational differences, the cybersecurity framework will provide cybersecurity guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks," an excerpt from the draft order, dated Nov. 21, reads.
Another add to the cyber order directs the Treasury and Commerce Departments to recommend a set of possible incentives that would entice operators of critical infrastructure to join a voluntary program in which they would follow a set of cybersecurity standards. These incentives would have to fall within the parameter of existing laws as an executive order cannot grant new powers or authorities like congressional legislation can. The draft order also directs the two departments to compile recommendations on incentives that need to be passed in legislation.
White House spokeswoman Caitlin Hayden declined to comment on the latest draft but said in a statement that administration officials have engaged in a series of meetings with various cybesecurity players for input.
"Over the past months, the White House has conducted extensive outreach with stakeholders," Hayden said in an email. "The National Security Staff has held over thirty meetings with industry, think tanks, and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people.”
The Chamber has asked members for feedback on how the draft order could be improved, including possible incentives that would fall within the legal limitations of an executive order, according to an industry insider. The move signals a slight--though notable--shift in the Chamber's view of the executive order, which it has generally been critical of.
The order would create a voluntary program in which companies operating key infrastructure would elect to meet a set of cybersecurity standards developed, in part, by the government. Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Ore.) have called on the White House to exempt social networking, search engines and e-commerce networks--such as Google and Facebook--from any security standards included in the cyber order.