President Obama walks outside the White House in Washington, D.C., on Feb. 12. (Saul Loeb / AFP via Getty Images)
The Obama administration on Tuesday ordered agencies to share classified threat information with companies operating critical infrastructure and called for the creation of voluntary security standards to protect systems critical to national security, such as the electric grid and water treatment facilities.
The executive order, signed by President Obama, follows Congress’ failed attempts last fall to pass comprehensive cybersecurity legislation. Senior administration officials speaking on background Tuesday said the White House was forced to take action, considering the growing cyber threats that could potentially disrupt national security.
The executive order, however, will not replace needed legislation, especially considering that an executive order cannot provide liability protections for companies that adopt security standards but suffer an attack, one senior official told reporters.
“An executive order is not a substitute for legislation, and it’s not the end of a conversation,” the official said. “In fact, it’s really just a continuation of it.”
Under the executive order:
The National Institute of Standards and Technology will publish a draft cybersecurity framework by October. The framework will include voluntary security standards for critical infrastructure companies, based on best practices and industry input. NIST will work with the Department of Homeland Security to publish a final version of the framework within a year.
DHS will create a voluntary program to support adoption of the voluntary standards. By June, DHS, in coordination with the Treasury and Commerce departments, must recommend incentives to entice private-sector involvement in the program.
The Defense Industrial Base Information Sharing Program will be expanded to include more critical infrastructure companies. Under the program, government and industry share classified threat information, including software code used to determine malware. The executive order also requires agencies to share unclassified reports with industry on threats to U.S. companies.
Agencies are directed to regularly assess the privacy and civil liberties impacts of their activities and share that information with the public.
Under the executive order, DHS is tasked with identifying which companies are deemed the most critical infrastructures, which is the intended target audience for the voluntary program.