Draft Order Seeks To Improve U.S. Digital Defenses
WASHINGTON (AP) — The Obama administration is preparing an executive order with new rules to protect U.S. computer systems, after Congress failed earlier this summer to pass a cybersecurity bill. The provisions include voluntary standards for companies, a special council run by the Homeland Security Department and new regulations covering especially vital systems, according to a draft of the order obtained by The Associated Press.
But just weeks before the election, the White House risks complaints that President Barack Obama is anti-business from Republicans and the same pro-business groups that killed the legislation on Capitol Hill.
National security officials have warned that electric grids, water plants, banks and other essential industries operated by the private sector are vulnerable to cyberattacks. Yet there are deep divisions over the best approach for keeping hackers and other criminals, foreign governments or terrorist groups from penetrating these systems, which rely heavily on computer networks to remotely control switches, valves and terminals.
Critical infrastructure systems provide services that are part of everyday life. But an enemy with the proper know-how could cause catastrophic damage and chaos by giving them incorrect commands or infecting them with malicious software. Potential nightmare scenarios include high-speed trains being put on collision courses, blackouts that last days or perhaps even weeks, or chemical plants that inadvertently release deadly gases.
"If those intruders get into those systems and then can determine how they can in fact interfere in the command and control systems of these systems, they can do things," White House counterterrorism adviser John Brennan said last month.
The draft order obtained by the AP said it would seek better digital defenses for critical infrastructure while encouraging economic prosperity and promoting privacy and civil liberties. It would create a new critical infrastructure cybersecurity council, which would be run by the Homeland Security Department and include representatives from the departments of defense, justice and commerce, and national intelligence office. The group would submit a report to the president to assess threats, vulnerabilities and consequences for all critical infrastructure sectors.
The draft order also allows federal agencies to propose new regulations or broaden existing ones, based on recommendations from the Commerce Department's National Institute of Standards and Technology. It would require agencies within 90 days to describe the legal authorities they would use to protect especially important computer systems, define what systems should be covered and determine whether existing regulations were adequate.
The private sector would collaborate with the cybersecurity council and also cooperate with NIST in the development of cybersecurity guidance, according to the order.
A spokeswoman for the National Security Council, Caitlin Hayden, described the order as "one of a number of measures we're considering as we look to implement the president's direction to do absolutely everything we can to better protect our nation against today's cyber threats." Hayden declined to comment further on what she described as ongoing, internal deliberations.
The order reviewed by the AP was undated and could be revised before Obama signs it. Executive orders are legally binding but can be contentious because they bypass Congress.
Sen. Susan Collins, R-Maine, one of only a few Republicans to support the cybersecurity bill, said she understood the Obama administration's desire to act but said an executive order is not a substitute for legislation.
"An executive order could send the unintended signal that congressional action is not urgently needed," Collins said in an email.
Republicans and the Chamber of Commerce opposed the Senate bill that would have implemented a similar, voluntary program because they said it would lead to costly rules and regulations and would burden companies without reducing the risks. Obama and senior national security officials said minimum security requirements were needed so that companies would protect critical infrastructure.
Obama has been dogged during the presidential campaign by Republicans who claim his administration is anti-business.