Obama Orders Cybersecurity Standards for Infrastructure

By Eric Engleman – Feb 13, 2013 12:06 AM ET

President Barack Obama bypassed Congress and issued an executive order to boost U.S. cybersecurity while telling lawmakers they still must act to further strengthen the nation’s computer defenses.

The order, released yesterday as Obama began his State of the Union speech, directs the government to develop voluntary cybersecurity standards for companies operating the nation’s vital infrastructure, such as power grids and air traffic control systems. It instructs federal agencies to consider putting those standards into existing regulations.

“It’s a good first step. It’s not a substitute for legislation,” saidFrank Cilluffo, director of George Washington University’s Homeland Security Policy Institute. Unless the president offers incentives to get companies to be more aggressive about cybersecurity, “it can only take us so far,” said Cilluffo, a former special assistant to President George W. Bush for homeland security.

Obama has said infrastructure such as nuclear plants and railway systems that serve millions of people are vulnerable to hacking and require greater protection. The administration has been drafting the executive order for months, seeking to implement some provisions of proposed Senate legislation blocked by Republicans last year. Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, said the bill’s standards would amount to burdensome regulation.

New Attacks

Cybersecurity has gained renewed national attention in recent weeks with revelations about a security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other news organizations attributed to Chinese hackers, and a wave of denial-of-service attacks that disrupted the websites of U.S. banks.

“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air-traffic-control systems.”

The executive order “will strengthen our cyber defenses,” Obama said, adding that Congress should now pass legislation to “give our government a greater capacity to secure our networks and deter attacks.”

The order may drive shares of network-security companies higher, said Daniel Cummins, an analyst with B. Riley & Co. in New York. Sourcefire Inc., a security provider for government agencies and companies, rose the most in more than three months yesterday on anticipation of Obama releasing the order.

Cybersecurity Standards

The executive order directs the National Institute of Standards and Technology, part of the U.S. Commerce Department, to develop cybersecurity standards for infrastructure companies. The Homeland Security Department will then work with federal agencies and industry on a voluntary program for companies to adopt the standards.

The order also expands a government program for sharing classified threat data with defense contractors and Internet- service providers to include infrastructure owners and the companies that provide them with network security.

Obama can’t give companies legal immunity for exchanging cyber-threat information with each other or with the government, Mary Ellen Callahan, a partner with the law firm Jenner & Block LLC in Washington and a former chief privacy officer with the Homeland Security Department, said in an interview. Some companies are concerned about antitrust and other restrictions on exchanging data, she said.

Legal Obstacles

“The president can only do so much because he’s dealing with existing law and there are obstacles to increase information sharing from the private sector,” Callahan said.

House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, and the panel’s top Democrat, C.A.“Dutch” Ruppersberger of Maryland, have said they plan to reintroduce a cybersecurity bill today. The measure, which passed the House last year, offers legal protection for companies that share cyber-threat information with each other and the government, and makes it easier for the government to pass classified threat data to the private sector.

The Rogers-Ruppersberger bill, which doesn’t impose or suggest standards for companies, earned a veto threat last year from the Obama administration, which said it didn’t do enough to protect critical infrastructure or the privacy of personal data that might be shared by companies.

‘Civil Liberties’

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties,” Michelle Richardson, legislative counsel for the American Civil Liberties Union, said in an e-mail.

The ACLU opposes the Rogers bill, which “allows companies to share sensitive and personal American Internet data with the government, including the National Security Agency and other military agencies,” Richardson said.

Sourcefire, of Columbia, Maryland, advanced 7.4 percent to $43.06 yesterday for the biggest one-day gain since Nov. 1. Other security companies including Palo Alto Networks Inc. of Santa Clara, California, and EMC Corp.’s RSA division, stand to benefit, Cummins said. EMC is based in Hopkinton, Massachusetts.

To contact the reporter on this story: Eric Engleman in Washington ateengleman1@bloomberg.net

To contact the editor responsible for this story: Bernard Kohn at bkohn2@bloomberg.net