White House spokeswoman Caitlin Hayden said the administration was not going to discuss details of internal deliberations, “but an Executive Order is among the things we’re considering to fulfill the president’s direction to us to do absolutely everything we can to better protect our nation against today’s cyberthreats.”
Compromise legislation to bolster the nation’s defenses against cyberattacks that could affect electric grids, communications networks and other critical infrastructure failed this summer in the face of strong opposition from the Chamber of Commerce and Republicans who decried even voluntary standards as a regulatory burden on business.
Last month, John O. Brennan, President Obama’s top adviser on homeland security and counterterrorism, said an executive order was a good vehicle to make sure “the nation is protected.”
“If the Congress is not going to act on something like this,” he said, “then the president wants to make sure that we’re doing everything possible.”
The four-page draft order, whose contents were described to The Washington Post by several officials this week, is in the early stages, and completion could take months, officials said.
Under the draft, an interagency Cybersecurity Council would be led by the Department of Homeland Security. It would have representatives from the Commerce, Defense, Treasury, Energy and Justice departments as well as from the Director of National Intelligence’s Office.
The council would take intelligence on cyberthreats and translate it into guidance that would be used to develop security standards. It might also prioritize the industry sectors that need the most attention, though no decision has been made on that issue.
The standards, along with best practices, would be written by the National Institute of Standards and Technology, an arm of the Commerce Department, in collaboration with the private sector. Companies would determine what technologies to use to improve cybersecurity.
The creation of clear standards — especially if there is widespread adoption — may help create a market for cybersecurity insurance, officials said. Before insurance underwriters issue a policy, they would have to ensure that firms had met the standards.
The voluntary approach is not a panacea, said one administration official, who spoke on the condition of anonymity to discuss internal deliberations. “We still think it should be mandated,” he said. But “it’s better than sitting around and waiting for legislation.”
Independent agencies, which are not subject to an executive order, may still adopt the voluntary standards and apply them to sectors they regulate, officials said. In some sectors, the administration may already have the authority to impose mandatory cybersecurity standards. One issue being debated as part of the executive order is whether the administration should use that authority.
Some national security experts said the voluntary approach misses an opportunity. If the administration does not mandate standards in some areas, “they’re timid,” said Richard A. Clarke, a White House counterterrorism and cybersecurity adviser under the Bill Clinton and George W. Bush administrations.
He said the president can require standards in sectors where executive branch agencies have authority to enforce them. The Transportation Security Administration, for instance, has authority to regulate pipeline security, he said. The Coast Guard can regulate the security of communications systems at ports. The Federal Railway Administration, he said, can regulate the security of freight and passenger railroad operations.
“If the president has authority to create mandatory standards in some industries and he doesn’t use those,” Clarke said, “then the administration is not serious.”
Clarke also questioned why any company would comply with voluntary standards.
Indeed, some business advocates said even the establishment of voluntary standards is problematic. “Any voluntary approach by this administration is intended to be mandatory,” said Jody Westby, a cybersecurity consultant, noting that officials have stated that that is their goal. “It’s the camel’s nose under the tent. The next thing we know, it’s regulation. This has the potential to be incredibly costly to implement.”
Real changes will not be driven by government, said Jacob Olcott, a cyber expert with Good Harbor Consulting. “They’re going to come from lawsuits, from investors and shareholders asking specific and pointed questions.”
Nonetheless, “a cyber executive order is the best possible option left on the table,” even if just for voluntary standards, said Eric Chapman, associate director of the University of Maryland Cybersecurity Center. “Obstruction is high in Congress, and it’s not realistic that a bill will be acted upon by both bodies before February.”