President Barack Obama signed an executive order Tuesday aimed at helping protect the computer networks of crucial American industries from cyberattacks and prodded Congress to enact legislation that would go even further.
Senior administration officials said Obama's order calls for the development of voluntary standards to protect the computer systems that run critical sectors of the economy like the banking, power and transportation industries. It also directs U.S. defense and intelligence agencies to share classified threat data with those companies.
"Now, Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks," Obama said in his annual State of the Union address.
The president said America's enemies are "seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Obama's executive order has been months in the making and is the product of often difficult negotiations with private sector companies that oppose any increased government regulation.
While largely symbolic, the plan leaves practical questions unanswered: Should a business be required to tell the government if it's been hacked and U.S. interests are at stake? Can you sue your bank or water treatment facility if those companies don't take reasonable steps to protect you? And if a private company's systems are breached, should the government swoop in to stop the attacks -- and pick up the tab?
Under the president's new order, the National Institute of Standards and Technology has a year to finalize a package of voluntary standards and procedures that will help companies address their cybersecurity risks. The package must include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks.
Officials will also come up with incentives the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cybersecurity standards should be considered when the department makes contracting decisions.
The administration was limited by law in what it could include in an executive order. But the order also calls for agencies to review their existing regulations to determine if the rules adequately address cybersecurity risks.
Congress has been struggling for more than three years to reach a consensus on cybersecurity legislation. Given that failure and the escalating risks to critical systems, Obama turned to the order as a stopgap measure with the hope that lawmakers will be able to pass a bill this year. Leaders of the House Intelligence Committee said they plan to re-introduce their bill that encourages the government to share classified threat information and also empowers companies to also share data while also providing privace and liability protections.
The process has exposed how difficult and complex the issue is, turning the long-awaited executive order into a bureaucratic scramble aimed at showing countries like China and Iran that the U.S. takes seriously the protection of consumer secrets. It's been an intensive effort by White House staff and industry lobbyists wary of government intervention but fearful about their bottom line.
"I think in general it means (the U.S.) will advance the case of cybersecurity, and that's important," said Paul Smocer, the head of the technology policy division at The Financial Services Roundtable, a powerful lobbying group that represents the nation's biggest banks. "How much teeth versus how much gum there is, we'll see."
The cyberthreat to the U.S. has been heavily debated since the 1990s, when much of American commerce shifted online and critical systems began to rely increasingly on networked computers. Security experts began to warn of looming disaster, including threats that terrorists could cut off a city's water supply or shut down electricity. But what's emerged in recent years, according to cyber experts, is the constant pilfering of America's intellectual property by U.S. competitors.
"We have, as the U.S. government, set up lawn chairs, told the burglars where the silver is in the bottom drawer, and opened up the case of beer and watched them do it," Rep. Mike Rogers, the Republican chairman of the House intelligence committee, told CBS' "Face the Nation" this week.
The U.S. has been preparing a new intelligence estimate that details cyber espionage as a growing economic problem. One official told The Associated Press last week that the estimate was expected to cite more directly a role by the Chinese government and favor aggressive action against the Chinese government. The official was not authorized to discuss the classified report and spoke only on condition of anonymity.
The report is expected to expand on a November 2011 report by U.S. intelligence agencies that accused Russia and China of systematically stealing American high-tech data for their own economic gain. China has denied the claims.
Richard Clarke, a former White House cybersecurity adviser during the Clinton administration, said that executive orders and intelligence estimates aside, the U.S. in 15 years of debate on the subject still hasn't answered the very practical questions of who exactly is in charge of stopping a cyberattack on commercial networks and at what point the government should deploy its own resources.