The Washington Post

Obama orders voluntary security standards for critical industries’ computers

Citing the growing threat from cyberattacks, President Obama on Tuesday announced that he had signed an executive order that calls for the creation of voluntary standards to boost the security of computer networks in critical industries such as those that keep trains from colliding and drinking water clean.

“We know hackers steal people’s identities and infiltrate private e-mail,” he said in his State of the Union speech. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The establishment of standards is part of a broader administration effort to protect the nation against a growing cyberthreat and the prospect of attacks that result in the loss of sensitive corporate data or even physical damage and deaths. In his speech, Obama also called on Congress to pass legislation to give government greater ability to deter attacks.

In the works since last summer, the order also calls for greater sharing of cyberthreat information by the federal government with the private sector to better detect risks. The president’s executive action follows a failed effort by Congress to pass a law calling for voluntary standards.

The order does not create regulations or authorities. Rather, it directs the Commerce Department to work with industry and federal agencies to craft a framework of standards within a year. The standards would apply only to sectors regulated by federal agencies, such as banking and electric power. “This is not designed to be a one-size-fits-all approach,” said a senior administration official, speaking on the condition of anonymity to discuss an order before Obama announced it.

The standards would affect only the most critical functions within sectors, such as computers that run financial trading systems or electric power generation. Computers that operate a bank’s Web site, for example, would not be subject to the standards.

Although the administration is stressing the program’s voluntary nature, it left open the possibility that regulators may use their authority to enforce the standards. “So . . . this actually does have some teeth to it,” the official said.

The effort has drawn criticism from some business interests as a backdoor to burdensome regulations.

The executive order is “likely to be only marginally effective in enhancing cybersecurity,” said Paul Rosenzweig, a former Department of Homeland Security official who is now a security consultant. “In the absence of liability protections and other incentives, most private sector actors will choose not to participate.”

The order calls for agencies to review incentives that could be offered to induce compliance. But one of the biggest — protection from lawsuits — can come only from Congress.

Some experts say the executive order eventually could create a “standard of care” that companies would be encouraged to observe to avoid being sued. “And that’s a good thing,” said Jacob Olcott, a cyber expert with Good Harbor Security Risk Management.

The order also directs agencies to increase the flow of cyberthreat data to companies, including warnings that they are being targeted. They will share malware, not people’s personal information, one official said. “It’s not about content,” he added.

Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties.

The Freddie Gray case

Please provide a valid email address.

You’re all set!

Campaign 2016 Email Updates

Please provide a valid email address.

You’re all set!

Get Zika news by email

Please provide a valid email address.

You’re all set!
Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.