White House officials are revealing details of President Barack Obama's initial plans for protecting the computer networks of crucial American industries from cyberattacks.
Their description of Obama's executive order was planned for Wednesday, a day after the president signed it. The announcement was also coming hours after the president urged Congress in his annual State of the Union address to pass legislation taking even tougher steps.
In his speech, Obama said America's enemies are "seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
He added, "Now, Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks."
On Tuesday, senior administration officials said Obama's order starts the development of voluntary standards to protect the computer systems that run critical sectors of the economy like the banking, power and transportation industries. It also directs U.S. defense and intelligence agencies to share classified threat data with those companies.
Obama's executive order has been months in the making and is the product of often-difficult negotiations with private sector companies that oppose any increased government regulation.
While largely symbolic, the plan leaves several practical questions unanswered:
— Should a business be required to tell the government if it's been hacked and U.S. interests are at stake?
— Can a person sue her bank or water treatment facility if those companies don't take reasonable steps to protect her?
— If a private company's systems are breached, should the government swoop in to stop the attacks — and pick up the tab?
Under the president's new order, the National Institute of Standards and Technology has a year to finalize a package of voluntary standards and procedures that will help companies address their cybersecurity risks. The package must include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks.
There also must be incentives the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cybersecurity standards should be considered when the department makes contracting decisions.
The order also calls for agencies to review their existing regulations to determine whether the rules adequately address cybersecurity risks.
Congress has been struggling for more than three years to reach a consensus on cybersecurity legislation. Given that failure and the escalating risks to critical systems, Obama turned to the order as a stopgap measure with the hope that lawmakers will be able to pass a bill this year. Leaders of the House Intelligence Committee said they plan to reintroduce their bill that encourages the government to share classified threat information, empowers companies to also share data and provides privacy and liability protections.
The process has exposed how difficult and complex the issue is, turning the long-awaited executive order into a bureaucratic scramble aimed at showing countries like China and Iran that the U.S. takes seriously the protection of business secrets. It has been an intensive effort by White House staff and industry lobbyists wary of government intervention but fearful about their bottom line.
The cyberthreat to the U.S. has been heavily debated since the 1990s, when much of American commerce shifted online and critical systems began to rely increasingly on networked computers.