White House spokeswoman Caitlin Hayden said the administration was not going to discuss details of internal deliberations, “but an Executive Order is among the things we’re considering to fulfill the president’s direction to us to do absolutely everything we can to better protect our nation against today’s cyberthreats.”
Compromise legislation to bolster the nation’s defenses against cyberattacks that could affect electric grids, communications networks and other critical infrastructure failed this summer in the face of strong opposition from the Chamber of Commerce and Republicans who decried even voluntary standards as a regulatory burden on business.
Last month, John O. Brennan, President Obama’s top adviser on homeland security and counterterrorism, said an executive order was a good vehicle to make sure “the nation is protected.”
“If the Congress is not going to act on something like this,” he said, “then the president wants to make sure that we’re doing everything possible.”
The four-page draft order, whose contents were described to The Washington Post by several officials this week, is in the early stages, and completion could take months, officials said.
Under the draft, an interagency Cybersecurity Council would be led by the Department of Homeland Security. It would have representatives from the Commerce, Defense, Treasury, Energy and Justice departments as well as from the Director of National Intelligence’s Office.
The council would take intelligence on cyberthreats and translate it into guidance that would be used to develop security standards. It might also prioritize the industry sectors that need the most attention, though no decision has been made on that issue.
The standards, along with best practices, would be written by the National Institute of Standards and Technology, an arm of the Commerce Department, in collaboration with the private sector. Companies would determine what technologies to use to improve cybersecurity.
The creation of clear standards — especially if there is widespread adoption — may help create a market for cybersecurity insurance, officials said. Before insurance underwriters issue a policy, they would have to ensure that firms had met the standards.
The voluntary approach is not a panacea, said one administration official, who spoke on the condition of anonymity to discuss internal deliberations. “We still think it should be mandated,” he said. But “it’s better than sitting around and waiting for legislation.”