The White House so far has failed to get a bill passed by both houses of Congress to improve the cybersecurity of the nation’s critical infrastructure, so it wants to take an alternative approach.
The administration has created a draft executive order detailing how, within its authority, it would improve the information assurance of the nation’s critical infrastructure, such as the power grid and financial industries.
The draft EO includes eight sections, including the requirement to develop a way for industry to submit threat and vulnerability data to the government.
The draft EO, which Federal News Radio viewed a draft copy of, closely follows the second version of comprehensive cyber legislation introduced by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R- Maine) in July.
The draft order gives agencies several deadlines to meet, either by writing reports or creating and implementing frameworks.
For instance, 90 days after the EO is signed by President Barack Obama, the cybersecurity council — led by the Homeland Security Department secretary — must develop a report to determine which agencies should regulate which parts of the critical infrastructure. The creation of the council is in section 2 of the draft EO.
Under earlier cyber bills, DHS would take the lead in regulation, and that concerned some lawmakers and experts. It was a major sticking point in moving forward with a vote on a comprehensive bill.
“An executive order is one of a number of measures we’re considering as we look to implement the President’s direction to do absolutely everything we can to better protect our nation against today’s cyberthreats,” said a National Security Council spokeswoman in an email statement. “We are not going to comment on ongoing internal deliberations.”
Sources say the White House held a call with federal cyber leaders last week to discuss the draft order.
Section 8 of the draft order, which has five subsections, includes the most significant changes to how the government wants to oversee critical infrastructure.
One subsection would ask industry to voluntarily submit cyber threat information to the government. The draft order says this data wouldn’t be used for regulatory purposes or used against companies. Sources say there aren’t any liability protections in the EO because that could only come from Congress.
A second subsection would require DHS to undertake privacy assessments of the data they collect around critical infrastructure.
A third subsection limits what critical infrastructure is included under the draft EO, and makes clear that First Amendment protections will apply to how the government identifies critical infrastructure.
A fourth subsection would address acquisition and the preferences for products and services that meet the cyber standards developed by the DHS-led council.
The final subsection would call for a report within 120 days discussing possible incentives such as liability protection, expedited security clearances and recognition by the government that the critical-infrastructure owner and operator meet the voluntary standards.
Sources say this subsection also is very similar to the Lieberman-Collins cyber bill.
Another part of the EO, Section 4, requires the DHS-led council to develop a framework to remediate and mitigate risks for critical infrastructure. A draft roadmap would be due in 90 days and then be sent out for public comment in 180 days.
Sources say the order doesn’t advocate for any specific technology or approach to remediating or mitigating risks, and is not “ordering” industry to take specific steps.
Section 3 would require DHS to identify the critical infrastructure owners and operators that the government would ask to voluntarily participate in the framework. In 60 days, DHS would have to submit a report to the President detailing the critical infrastructure that if attacked would threaten the lives of citizens or the national security of the country.
Sources say DHS already has identified these owners and operators.
Does not address FISMA
The next part, Section 5, would require the council to create a voluntary critical-infrastructure program to promote adoption of the framework. It would address incentives such as telling the public who conforms to the framework and who doesn’t. Sources say it doesn’t advocate for rewards or more tangible incentives such as liability protection like the Lieberman-Collins bill does.
Section 7 is the only part of the EO that would specifically address federal agency networks.
It calls for DHS to identify critical infrastructure owned and operated by federal agencies and to assist the agencies in identifying and mitigating risks.
Sources say this too is very similar to the Lieberman-Collins bill.
The draft EO doesn’t include any of the ideas in the bill to reform the Federal Information Security Management Act (FISMA) or any of the cyber workforce and training provisions.
Sections 9 and 10 are definitions and general provisions, basic administrative parts of the draft EO.
Sources say few if any lawmakers or their staffs have seen the draft EO, and there still is minimal hope the Senate can pass a version of the comprehensive cyber bill by the end of the December.
In a statement provided to Federal News Radio, Sen. Susan Collins (R-Maine), the co-author of the Senate bill, said she understands the Obama administration’s “desire to act” but said an executive order shouldn’t be a substitute for congressional action.
“I am deeply disappointed that the Senate failed to pass our bipartisan bill before the August recess, but it remains imperative that this Congress address this issue,” Collins said. “An executive order could send the unintended signal that congressional action is not urgently needed.”
Others in the federal community already are coming out against a cyber executive order.
“The President should resist the temptation to ladle on a new regulatory bureaucracy (or bureaucracies) simply to satisfy the need to ‘do something,'” wrote Steve Bucci of the Heritage Foundation in a blog post. “If it is not done right, it will do damage. Let the debate continue until it is done right, Mr. President. It’s called the democratic process, and it invariably provides the best answers, even if it takes awhile.”