Obama orders voluntary security standards for critical industries’ computer networks
By Ellen Nakashima,
Citing the growing threat from cyberattacks, President Obama on Tuesday announced that he had signed an executive order that calls for the creation of voluntary standards to boost the security of computer networks in critical industries such as those that keep trains from colliding and drinking water clean.
“We know hackers steal people’s identities and infiltrate private e-mail,” he said in his State of the Union speech. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The establishment of standards is part of a broader administration effort to protect the nation against a growing cyberthreat and the prospect of attacks that result in the loss of sensitive corporate data or even physical damage and deaths. In his speech, Obama also called on Congress to pass legislation to give government greater ability to deter attacks.
In the works since last summer, the order also calls for greater sharing of cyberthreat information by the federal government with the private sector to better detect risks. The president’s executive action follows a failed effort by Congress to pass a law calling for voluntary standards.
The order does not create regulations or authorities. Rather, it directs the Commerce Department to work with industry and federal agencies to craft a framework of standards within a year. The standards would apply only to sectors regulated by federal agencies, such as banking and electric power. “This is not designed to be a one-size-fits-all approach,” said a senior administration official, speaking on the condition of anonymity to discuss an order before Obama announced it.
The standards would affect only the most critical functions within sectors, such as computers that run financial trading systems or electric power generation. Computers that operate a bank’s Web site, for example, would not be subject to the standards.
Although the administration is stressing the program’s voluntary nature, it left open the possibility that regulators may use their authority to enforce the standards. “So . . . this actually does have some teeth to it,” the official said.
The effort has drawn criticism from some business interests as a backdoor to burdensome regulations.
The executive order is “likely to be only marginally effective in enhancing cybersecurity,” said Paul Rosenzweig, a former Department of Homeland Security official who is now a security consultant. “In the absence of liability protections and other incentives, most private sector actors will choose not to participate.”
The order calls for agencies to review incentives that could be offered to induce compliance. But one of the biggest — protection from lawsuits — can come only from Congress.
Some experts say the executive order eventually could create a “standard of care” that companies would be encouraged to observe to avoid being sued. “And that’s a good thing,” said Jacob Olcott, a cyber expert with Good Harbor Security Risk Management.
The order also directs agencies to increase the flow of cyberthreat data to companies, including warnings that they are being targeted. They will share malware, not people’s personal information, one official said. “It’s not about content,” he added.