With Congress apparently deadlocked on cybersecurity legislation, the Obama administration is actively weighing an executive order that would give federal agencies authority to begin protecting computer networks that control the nation's critical infrastructure – such as power grids, refineries, and water facilities – against cyberattack.
An executive order could not be as sweeping as congressional legislation, but top Democrats are increasingly urging President Obama to take whatever action he can, sensing that compromise on a bill currently in the Senate looks unlikely in the near term.
The order could help the Department of Homeland Security (DHS) better protect federal networks, as well as establish a system of information sharing on potential threats among federal government agencies and private companies. But the participation of private companies would be voluntary, and many might be loath to submit their networks to testing by DHS without the promise of protection from financial liability in the event of a devastating cyberattack – something possible only in a congressional bill.
Indeed, an executive order would involve complications, sources say.
"They're meeting on this right now, thinking about what would actually be included in such an order," says one source familiar with the meetings, but who spoke with the Monitor only on condition of anonymity.
"One obstacle is that DHS wants more authority than it has, but since there's limited authority in the law for DHS – and [Obama] can't just make it up," the source adds. "Still, there are voluntary measures and incentives that could be implemented."
On Aug. 2, the Senate passed cybersecurity legislation, 52 to 46, but 60 votes are needed to circumvent a filibuster, meaning Republicans can delay the bill indefinitely. Republicans worry that the bill would give the government undue influence over private businesses. Now, as the Senate's fall break approaches, intense legislative negotiations are continuing behind the scenes in a last-minute bid to pull together a compromise. But with any such effort likely to go down to the wire, the White House is pushing ahead, too.
Ideas about what might be in the order are starting to emerge.
The goal would be to have “a near-real-time common operating picture” for threats to critical infrastructure and “strong cooperation” between the government and companies, especially energy and communications companies, according to a draft document now circulating in the White House, Bloomberg reports.
At the same time, DHS would defend federal and nonmilitary networks and coordinate efforts to protect private-sector networks.
"One thing an executive order would help with is giving DHS the ability to really protect federal networks," says Andrew Cutts, former cybersecurity policy director at DHS. "It has some authority, but needs more."
Still, problems remain – like how legally to go about sharing detailed classified information more broadly among companies.
"The bigger problem is how to protect critical infrastructure outside the federal government," says Mr. Cutts. "It's possible the president could require government agencies to draft a set of voluntary cyberstandards for critical infrastructure owners and operators to follow."
Under the bill in the Senate, operators of natural-gas pipelines, refineries, water-supply systems, and other vital assets would voluntarily submit their computer networks to testing by the DHS. In return, they would get protection from financial liability.
But an executive order would not be able to grant liability exemption, so it could be difficult for DHS to persuade private computer networks – which control 85 percent of the nation's critical infrastructure – to cooperate. The National Security Agency and Pentagon – two federal entities with cutting edge cyber expertise – also have no direct legal authority directly to protect those private networks.
Yet senators say something needs to be done.
"I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack," said Sen. Dianne Feinstein (D) of California in a letter to Mr. Obama Tuesday. "While an Executive Order cannot convey protection from liability that private sector companies may face, your Administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security."
There are signs that the senators' advice is falling on receptive ears.
"One of the things that we need to do in the executive branch is to see what we can do to maybe put additional guidelines and policies in place under executive-branch authority," John Brennan, the president's to counterterrorism adviser, said in remarks to the Council on Foreign Relations on Aug. 8.
"I mean if the Congress is not going to act ... then the president wants to make sure that we are doing everything possible," he said.