Sources: White House to issue cybersecurity order Wednesday

The White House is poised to release an executive order aimed at thwarting cyberattacks against critical infrastructure on Wednesday, two people familiar with the matter told The Hill.

The highly anticipated directive from President Obama is expected to be released at a briefing Wednesday morning at the U.S. Department of Commerce, where senior administration officials will provide an update about cybersecurity policy.

ADVERTISEMENT
The executive order would establish a voluntary program in which companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government. 

Observers are expecting the president to briefly mention the need for the country to improve its defenses against cyberattacks during his State of the Union address on Tuesday. 

White House press secretary Jay Carney declined Monday to say whether the president would discuss cybersecurity during his Tuesday address to Congress, saying the president believes that it’s “a very important issue.”

“It represents a huge challenge for our country. He has called on Congress to take action. Unfortunately, Congress has thus far refused legislatively,” Carney said at a press briefing with reporters. “But I don’t have any previews to provide.”

During last year’s address, the president made a brief mention about the cybersecurity legislative blueprint that his administration put forward in May 2011.

The White House began crafting the executive order after Congress failed to pass cybersecurity legislation last year. Officials said the threat facing the United States was too great for the administration to ignore and that it needed to take action as Congress grappled with passing a bill.

During his second term, the president is expected to exert his executive power on issues such as climate change, and it appears that cybersecurity is also on that list.

Yet administration officials have also stressed that the executive order is not a substitute for cybersecurity legislation, which is needed to protect the country’s water plants, electric grid and other critical infrastructure from cyberattacks. 

They note that an executive order cannot, unlike congressional legislation, grant new powers or authorities to federal agencies or departments. 

“We need comprehensive cybersecurity legislation,” Andy Ozment, a senior director for cybersecurity at the White House, said at a conference in Washington last week. “We cannot do everything under our existing authorities.” 

White House Cybersecurity Coordinator Michael Daniel, Commerce Department Deputy Secretary Rebecca Blank, Department of Homeland Security Deputy Secretary Jane Holl Lute and National Security Agency Director Gen. Keith Alexander will be among the officials participating in Wednesday’s briefing, according to details obtained by The Hill.   

A White House spokeswoman declined to comment on the timing of the executive order.

It has been revised several times over the past few months and would also encourage agencies to share intelligence about cyber threats with companies that operate critical infrastructure. 

Over the past few months, the White House has engaged in outreach efforts to industry groups, think tanks, companies and advocacy groups to solicit feedback on what should and should not be included in the order. 

A leaked copy of the draft order this fall revealed that the White House had incorporated some changes into the order that were an attempt to smooth over concerns that the high-tech industry had raised.  

The White House began work on the executive order after the Senate failed to pass a sweeping cybersecurity bill by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Dianne Feinstein (D-Calif.). The bill included a measure aimed at improving information-sharing about cyber threats between government and industry.

However, it also had a more controversial provision that would encourage companies that operate critical infrastructure to adopt cybersecurity best practices and standards into their computer networks. 



More from The Hill:
♦ Senate Dems aim to have sequester bill ready by Thursday
♦ GOP pressures Obama on pipeline with 'Keystone Clock'
♦ Alec Baldwin, Morgan Freeman press Obama on climate change
♦ Report: SEAL who shot bin Laden lost health coverage
♦ Tributes to pope highlight abortion stance
♦ Carney: 'President believes we have a spending problem'
♦ Manchin opposes assault weapons ban
♦ Health law rule on 'essential benefits' set for final review


Critical infrastructure operators would receive incentives, such as added protection from legal action if they are hit with an cyberattack, in exchange for adopting those measures. 

That section of the Senate bill, the Cybersecurity Act, provided the backbone for the White House’s executive order. The bill failed a second time when it was brought to the Senate floor before the end of 2012.

GOP senators and the influential U.S. Chamber of Commerce fought hard against the Senate bill, warning that it would apply burdensome new regulations to businesses. Business groups argued that new cybersecurity rules would slow down companies’ ability to respond to cyber threats because they would be more focused on complying with regulations than on securing their networks. 

Instead, Republican lawmakers and business groups have advocated for Congress to pass legislation that is aimed at removing legal hurdles that prevent the government and companies from sharing intelligence about cyber threats in real time with each other. 

House Intelligence Committee leaders Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) are set to re-introduce an information-sharing bill on Wednesday. That bill passed the House last year despite receiving pushback from the White House. 

The bill aims to thwart cyberattacks by making it easier for private companies to share information about cyber threats and malicious source code with the intelligence community and the Department of Homeland Security.

Last year, privacy advocates argued that the bill would increase the pool of people’s electronic communications flowing to the military and the secretive National Security Agency. The White House issued a veto threat a day before the bill was taken up on the House floor for a vote, saying it repeals “important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards.”

The bill went untouched by the Senate last year. The upper chamber is expected to revive its work on cybersecurity legislation this year. 

Rockefeller, Feinstein and Sen. Tom Carper (D-Del.), the new chairman of the Homeland Security Committee, said enacting legislation would be a priority this year and introduced a resolution stating that cyberattacks are one of the most serious threats facing the United States.

This story was first posted at 2 p.m. and has been updated.