Barack Obama has signed an executive order on cybersecurity aimed at boosting the defense of critical US infrastructure, while also avoiding the criticism over compromising civil liberties that its legislative predecessors suffered from.
The legislative push continues, and will cover the same area and make the increase in security mandatory for the private sector. A new version of the controversial bill CISPA is expected to be introduced to the House on Wednesday.
President Obama revealed the long-expected executive order in his State of the Union address on Tuesday. He cited “growing threat from cyber-attacks” as the reason he used his executive power where legislators failed, adding that America must face this rapidly growing threat.
“We know hackers steal people’s identities and infiltrate private e-mail,” he said. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
Years from now, Americans cannot look back and wonder “why we did nothing in the face of real threats to our security and our economy,” Obama said.
The order directs government officials to come up with standards to reduce cybersecurity risks within the next 240 days, and to encourage companies to adopt the new framework. However, it has no legal power to force companies to adopt the framework of cybersecurity best practices.
The framework will be technology-neutral and aimed at addressing security gaps in the computer networks of crucial parts of the country's infrastructure – the electric grid, gas lines, water treatment plants and transportation networks.
Federal agencies are also being encouraged to share information with private companies on potential cyber threats. This would encompass technical data, such as identifying malicious code, and not private information, senior administration officials said.
The executive order comes in place of cybersecurity legislation that failed to pass legislative scrutiny last year. The issue of protecting infrastructure from cyber-attacks was initially free of partisan divide, but became increasingly politicized as work on it progressed.
Democrats favored the Cybersecurity Act of 2012, a bill that would have the Department of Homeland Security identify private owners of infrastructure considered critical and force them to introduce tighter defenses against hacker attacks, as advised by the federal government. Business lobbyists and Republican lawmakers opposed and eventually killed the bill, saying it would over-regulate the private sector and cost too much.
The Republican-backed Cyber Intelligence Sharing and Protection Act, or CISPA, passed the House only to be later strangled in the Senate amid criticism from Internet privacy and civil liberties advocates. Among other things, the bill would allow legal blanket protection to companies volunteering private information to the government, and would allow the National Security Agency, which is normally restricted to foreign intelligence, to collect data domestically.
The new executive order has yet to raise any red flags from business owners or rights groups. The ACLU said it was "encouraged" by the move, and – in an apparent reference to CISPA – added that it shows "there are smart ways to bolster cybersecurity while protecting privacy."
However the administration does not view the order as a replacement for the legislative process. Obama urged Congress to follow his lead and pass legislation giving Washington “a greater capacity to secure networks and deter attacks.”
In a joint statement, Republican Senators John McCain, Saxby Chambliss and John Thune said the executive action could not "achieve the balanced approach" that a Congressional law would.
“The Senate should follow regular order and craft legislation that will have an immediate impact on our nation's cybersecurity without adding or prompting regulations that could discourage innovation and negatively impact our struggling economy,” they said.
On Wednesday, the key sponsor of CISPA, Republican Representative Mike Rogers, who also chairs the House Intelligence Committee, is expected to reintroduce the bill.
“We agree that our biggest barriers to bolster our cyber defenses can be fixed only with legislation,” Rogers said.
The executive order comes as the number of government agencies and companies targeted by hackers is growing. Over the past two weeks, the Federal Reserve, the Energy Department and the New York Times and Wall Street Journal have all disclosed that their networks were breached by hackers.