U.S. President Barack Obama plans to release a long-awaited executive order aimed at improving the nation’s defenses against cyberattacks as early as Wednesday, according to sources familiar with the matter.
The order, drawn up after Congress failed to pass cyber defense legislation last year, is meant to improve the protection of critical industries and infrastructure from cyber intrusions.
Concerns about cyber attacks, which have hit a succession of major U.S. companies and government agencies in recent months, also could be raised by Obama in his annual State of the Union address to Congress on Tuesday evening.
One of the White House’s major goals is to improve information-sharing about attacks among private companies, and between companies and the government.
“Our biggest issue right now is getting the private sector to a comfort level so they can report anomalies, malware, incidents within their network” without undue fear of being “outed” as victims, said FBI Executive Assistant Director Richard McFeely, head of the Criminal, Cyber, Response and Services Branch.
The order is expected to give the Department of Homeland Security (DHS) the lead role in protecting critical U.S. infrastructure, according to a government official who had seen a final draft of the order’s executive summary.
DHS will be tasked with setting up a system for sharing cyber threats with private industry and be responsible for protecting critical infrastructure, the official said. Most of the critical U.S. infrastructure is run by private industry.
“We know the executive order isn’t going to go as far as legislation could or will go, but it’s a good start,” the official said.
Some Republicans had wanted the Department of Defense to play the lead role instead of DHS.
Cyber security experts say the executive order – which does not have the same force as a law – is a step in the right direction and indicates Obama takes the problem seriously.
“I think this can fairly be described as a down payment on legislation,” said Stewart Baker, former National Security Agency general counsel and a past assistant secretary for policy at the Department of Homeland Security.
Stewart said he thought the executive order would make a difference in policy and practical terms “but whether it will provide practical protection from cyber attacks is still in doubt.”
The executive order will make it easier for people at private companies to get security clearances so classified information can be shared, according to earlier drafts that were leaked and posted online.
It will also make companies work with the National Institute of Standards and Technology to come up with sector-specific standards for cyber security and will then require companies to engage with their regulators to decide how those standards are implemented.
“Companies aren’t going to, at first, be required to do anything. These are voluntary standards, except for a few critical infrastructure companies,” said James Lewis, senior fellow at the Center for Strategic and International Studies.
“If you’re regulated, the regulator will be able to say, ‘Here are some new standards.’ If you’re not regulated you won’t be touched at all.”
(Reporting By Steve Holland, Deborah Charles and Joseph Menn. Writing by Warren Strobel; Editing by Cynthia Osterman and Todd Eastham)