WASHINGTON (Reuters) - U.S. President Barack Obama on Tuesday signed an executive order seeking better protection of the country’s critical infrastructure from cyber attacks that are a growing concern to the economy and national security.
The long-expected executive order, unveiled in the State of the Union speech, follows last year’s failed attempt by the U.S. Congress to pass a law to confront continuing electronic attacks on the networks of U.S. companies and government agencies.
The order, which does not have the same force as law, directs federal authorities to improve information sharing on cyber threats - including some that may be classified - with companies that provide or support critical infrastructure.
Cyber attacks in recent months targeted a succession of major U.S. companies and government agencies, adding fuel to the debate about how the government and the private sector, which runs most of the critical U.S. infrastructure, can best protect sensitive information.
“We know hackers steal people’s identities and infiltrate private e-mail,” Obama said in the address. “We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The new order directs government officials, led by the secretary of homeland security, in the next year to create standards to reduce cybersecurity risks.
The government will offer incentives to encourage companies to adopt them, but because it lacks legal enforcement power, adoption of the so-called Cybersecurity Framework will be voluntary.
To help companies protect themselves, the order also will set up a program to ease delivery of classified cyber threat information to eligible companies. It also calls for expedited security clearances for some company employees who deal with critical infrastructure.
The executive order carries no power to compel companies to reciprocate or to exchange cybersecurity information among themselves. That is one reason why White House officials underscore that the order does not replace legislation that Congress could once again undertake this year.
“It’s not an end of the conversation and in fact it’s just a continuation of it,” said one senior administration official.
Last year’s bill, which also included liability protection for companies, is expected to be reintroduced on Wednesday, according to its author, Republican Representative Mike Rogers, who chairs the House Intelligence Committee.
“We agree that our biggest barriers to bolster our cyber defenses can be fixed only with legislation,” Rogers said.
His bill last year passed the House of Representatives but not the Senate, largely because of concerns about expansion of federal regulations and protecting private information when it comes to sharing private data with the government.
On Tuesday, the U.S. Chamber of Commerce, the powerful business lobby, reiterated its opposition to “expansion or creation of new regulatory regimes” and called Obama’s order unnecessary.
Obama’s executive order requires government officials to comply with and routinely assess privacy standards and civil liberties protections.
Many influential lawmakers and industry heavyweights welcomed Obama’s move as a step closer to a comprehensive cyber security law that bolsters a partnership between the public and private sectors.
“These activities represent a down payment in the protection of our nation’s cyber infrastructure, which Congress will build upon as they develop comprehensive cybersecurity legislation,” said Michael Chertoff, former secretary of homeland security under President George W. Bush. He called the executive order a “critical step in protecting America.”
A trio of Republican senators and leaders in national security - John McCain, Saxby Chambliss and John Thune - said the executive action could not “achieve the balanced approach” that a Congressional law would and pledged to ensure thorough oversight of any action directed by the order.
“The Senate should follow regular order and craft legislation that will have an immediate impact on our nation’s cybersecurity without adding or prompting regulations that could discourage innovation and negatively impact our struggling economy,” they said in a joint statement.
Additional reporting by Joseph Menn in San Francisco; Editing by Marilyn W. Thompson, Eric Beech and Jim Loney