25 Sept 2012

White House circulating draft of executive order on cybersecurity

The White House is circulating a draft of an executive order aimed at protecting the country from cyberattacks, The Hill has learned.
The draft proposal, which has been sent to relevant federal agencies for feedback, is a clear sign that the administration is resolved to take action on cybersecurity even as Congress remains gridlocked on legislation that would address the threat.

The draft executive order would establish a voluntary program where companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government, according to two people familiar with the document.

The concept builds off of a section in the cybersecurity bill from Sen. Joe Lieberman (I-Conn.) that was blocked last month by Senate Republicans, who called it a backdoor to new regulations.

The draft has undergone multiple revisions and is brief, spanning no more than five pages. It is still being worked on and is subject to change, the people familiar with the draft stressed.

It's also unclear whether the final product will get the president's approval to move forward.

A new draft of the executive order is expected to be shared with agencies next week.

White House counterterrorism adviser John Brennan first floated the idea of an executive order in a speech a few days after the Senate bill failed. He said the White House would consider taking action on the executive level to ensure key infrastructure such as the power grid, water supply and transportation networks are secure.

The momentum for cybersecurity legislation in Congress weakened after Lieberman's bill failed to clear the Senate. Now industry groups and Congress are watching the White House for clues about what might be included in a executive order on cybersecurity.

A spokeswoman for the White House declined to comment on whether a draft for a executive order was being circulated, but said it is one of the options the administration is weighing.

"An executive order is one of a number of measures we’re considering as we look to implement the president’s direction to do absolutely everything we can to better protect our nation against today’s cyberthreats," said White House spokeswoman Caitlin Hayden. "We are not going to comment on ongoing internal deliberations.”

Sponsors of Lieberman's bill have urged the White House to issue an executive order to put measures in place that ensure key infrastructure is better protected from cyberattacks. Sens. Jay Rockefeller (D-W.Va.) and Dianne Feinstein (D-Calif.) both sent letters to the White House last month that urged the president to take action.

According to the people familiar with the draft, the executive order would set up an inter-agency council that would be led by the Department of Homeland Security (DHS). Members of the council would include the Department of Defense and the Commerce Department, and discussions are ongoing about including other agencies and officials, such as representatives from the Department of Energy and Treasury Department, as well as the attorney general and the director of national intelligence.

DHS would be responsible for the overall management of the program, but the Commerce Department's National Institute of Standards and Technology (NIST) would work with industry to help craft the framework for it. The agency would work with the private sector to develop cybersecurity guidelines and best practices.

DHS would receive the guidance from NIST and work with so-called sector coordinating councils to identify which industry sectors would be considered critical infrastructure, as well as determine what cybersecurity best practices and standards the industry participants in the voluntary program would follow.

Those coordinating councils are already in place, and fall under an arm of DHS that manages critical infrastructure protection. The councils are run and organized by industry members from each sector, such as financial services and electricity.

It would be left up to the companies to decide what steps they want to take to meet the standards, so the government would not dictate what type of technology or strategy they should adopt.

One of the main issues still under discussion involves the kinds of incentives the government will offer critical infrastructure operators to entice them into the program.

The executive branch is limited when it comes to the types of incentives it can offer companies, as much of that authority rests with Congress. For instance, the executive branch is barred from offering companies liability protection if they face lawsuits after a security breach.

"For many of these incentives, you need new legislative authority," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, who has not seen a copy of the draft executive order.

To get industry participation in the program, Lewis argues that it's key for the inter-agency council to include agencies that already regulate critical infrastructure, such as the Federal Energy Regulatory Commission.

Lewis also fears that it would take the government too long to get the voluntary program in the executive order up and running.

"The White House needs to step back and say, 'Does this make a meaningful contribution in the near term?' " Lewis said.

Additionally, he cautioned that industry would balk at electing to join a program led by DHS, which is plagued with a spotty track record when it comes to leading national security efforts.

"Find me a company that says 'I'm going to voluntarily agree to be regulated by DHS.' Nobody is going to volunteer to have DHS regulate them," Lewis said.

http://thehill.com/blogs/hillicon-valley/technology/248079-white-house-circulating-draft-of-executive-order-on-cybersecurity