Executive Order on cyber security coming, might include information sharing

White House meeting

As Congress recesses for the national election, the White House is close to issuing an Executive Order on Cyber security in the coming days that could include information-sharing measures for infrastructure providers, according to reports.

Before Congress adjourned for what is expected to be a seven-week long break for the November election, it failed to approve cyber security legislation amid partisan squabbling. Some congressmen who had backed cyber legislation urged President Obama to develop protections including information-sharing procedures with private industry to blunt the threat.

Reports said the president is about to issue an Executive Order directing federal agencies to develop voluntary Cyber security guidelines for critical infrastructure owners, such as power and water companies.

A Sept. 24 report by Reuters quoted former government Cyber security sources saying the pending order would give government agencies 90 days to propose new regulations and create a new Cyber security council at the Department of Homeland Security with representatives from the Defense Department, Justice Department, Director of National Intelligence and the Department of Commerce.

One congressman who had pushed unsuccessfully for Cyber security legislation, Senate Homeland Security and Governmental Affairs Committee chairman Joe Lieberman. (ID-CT), urged the president in a Sept. 24 letter “to use the full extent of his executive powers” to secure the nation’s cyber networks, by conducting risk assessments of the most critical cyber infrastructure and establishing security standards.

In his letter, Lieberman called the Cyber threat to the U.S. “real and imminent.”

“Now that Congress has recessed until after the elections, I am writing to you about the continuing failure of the Senate to pass comprehensive Cyber security legislation.  Countless national security leaders from your administration and the previous administration have made clear that the threat from cyber attack is similar to the threat we faced from terrorism on September 10, 2001 – the danger is real and imminent, yet we have not acted to defend against it.”

Lieberman said Obama should use his executive authority to the maximum extent possible to defend the nation from cyber attack.  “For example, under current law, as set forth in Title II of the Homeland Security Act of 2002, the Department of Homeland Security has clear authority, if directed by you, to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyber attack, and issue voluntary standards for those critical systems or assets to maintain adequate Cyber security,” he said. 

“Though executive action cannot offer private sector entities liability protections for compliance with these guidelines, I urge you to consider other incentives that you can offer by executive action to companies that own critical cyber infrastructure and decide to comply with the cyber defense standards that result from your Executive Order,” he said.

 I urge you to explore any means at your disposal that would encourage regulators to make mandatory the standards developed by the Department of Homeland Security pursuant to your Executive Order so we can guarantee that our most critical infrastructure will be defended against attacks from our adversaries.  

Additionally, Lieberman asked Obama to consider using his authority to strengthen information sharing mechanisms to the fullest extent possible under current law.

 Lieberman noted, however that the executive action can’t make all the changes necessary to facilitate the type of information sharing that he said is urgently needed – but only new statutory authorization will be sufficient.