WASHINGTON (AP) — The White House cybersecurity executive order President Barack Obama signed Tuesday will be the most comprehensive plan yet for confronting electronic attacks on America’s computer networks, or at least a good-faith effort amid an alarming tide in industrial espionage in the past year that experts blame mostly on China.
Describing the order as a down payment on future legislation, senior administration officials said it calls for the development of voluntary standards to protect the networks and computer systems that run America’s critical infrastructure. And it directs U.S. defense and intelligence agencies to share classified threat data with those companies, which are considered vital to the U.S. economy, such as power, transportation and banking.
The order has been months in the making and is the product of often difficult negotiations with private sector companies that oppose any increased government regulation.
While largely symbolic, the plan leaves practical questions unanswered: Should a business be required to tell the government if it’s been hacked and U.S. interests are at stake? Can you sue your bank or water treatment facility if those companies don’t take reasonable steps to protect you? And if a private company’s systems are breached, should the government swoop in to stop the attacks — and pick up the tab?
Under the president’s new order, the National Institute of Standards and Technology has a year to finalize a package of voluntary standards and procedures that will help companies address their cybersecurity risks. The package must include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks.
Officials will also come up with incentives the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cybersecurity standards should be considered when the department makes contracting decisions.
The administration was limited by law in what it could include in an executive order. But the order also calls for agencies to review their existing regulations to determine if the rules adequately address cybersecurity risks.
Congress has been struggling for more than three years to reach a consensus on cybersecurity legislation. Given that failure and the escalating risks to critical systems, Obama turned to the order as a stopgap measure with the hope that lawmakers will be able to pass a bill this year. Leaders of the House Intelligence Committee said they plan to re-introduce their bill that encourages the government to share classified threat information and also empowers companies to also share data while also providing privace and liability protections.
The process has exposed how difficult and complex the issue is, turning the long-awaited executive order into a bureaucratic scramble aimed at showing countries like China and Iran that the U.S. takes seriously the protection of consumer secrets. It’s been an intensive effort by White House staff and industry lobbyists wary of government intervention but fearful about their bottom line.
“I think in general it means (the U.S.) will advance the case of cybersecurity, and that’s important,” said Paul Smocer, the head of the technology policy division at The Financial Services Roundtable, a powerful lobbying group that represents the nation’s biggest banks. “How much teeth versus how much gum there is, we’ll see.”
The cyberthreat to the U.S. has been heavily debated since the 1990s, when much of American commerce shifted online and critical systems began to rely increasingly on networked computers. Security experts began to warn of looming disaster, including threats that terrorists could cut off a city’s water supply or shut down electricity. But what’s emerged in recent years, according to cyber experts, is the constant pilfering of America’s intellectual property by U.S. competitors.
“We have, as the U.S. government, set up lawn chairs, told the burglars where the silver is in the bottom drawer, and opened up the case of beer and watched them do it,” Rep. Mike Rogers, the Republican chairman of the House intelligence committee, told CBS’ “Face the Nation” this week.
The U.S. has been preparing a new intelligence estimate that details cyber espionage as a growing economic problem. One official told The Associated Press last week that the estimate was expected to cite more directly a role by the Chinese government and favor aggressive action against the Chinese government. The official was not authorized to discuss the classified report and spoke only on condition of anonymity.
The report is expected to expand on a November 2011 report by U.S. intelligence agencies that accused Russia and China of systematically stealing American high-tech data for their own economic gain. China has denied the claims.
Richard Clarke, a former White House cybersecurity adviser during the Clinton administration, said that executive orders and intelligence estimates aside, the U.S. in 15 years of debate on the subject still hasn’t answered the very practical questions of who exactly is in charge of stopping a cyberattack on commercial networks and at what point the government should deploy its own resources.
Follow Anne Flaherty on Twitter at https://twitter.com/AnneKFlaherty .