* Draft order includes elements of leading Senate measure
* Officials envision cooperative security ties with industry
* Current draft order said to have 'no carrots or sticks'
By Joseph Menn
SAN FRANCISCO, Sept 24 The White House is
preparing to direct federal agencies to develop voluntary
cybersecurity guidelines for owners of power, water and other
critical infrastructure facilities, according to people who
said they had seen recent drafts of an executive order.
The prospective order would give the agencies 90 days to
propose new regulations and create a new cybersecurity council
at the Department of Homeland Security with representatives from
the Defense Department, Justice Department, Director of National
Intelligence and the Department of Commerce, a former government
cyber-security official told Reuters.
"It tells those who have the ability to regulate to go forth
and do so," said the person, who is currently outside the
government and spoke on condition of anonymity in order to
preserve access to government officials.
The draft executive order includes elements of what had been
the leading cybersecurity overhaul bill in the Senate, which was
defeated this summer amid opposition from industries opposed to
Senate Homeland Security Committee Chairman Joe Lieberman,
an independent and one of the principal authors of that bill, on
Monday urged the White House to issue such an order.
"The Department of Homeland Security has clear authority, if
directed by you, to conduct risk assessments of critical
infrastructure, identify those systems or assets that are most
vulnerable to cyber attack and issue voluntary standards for
those critical systems or assets to maintain adequate
cybersecurity," Lieberman wrote to President Barack Obama.
The document has been circulating among the agencies and
might go to top officials for their comments as soon as this
week, another person involved in the process said.
A spokeswoman for the administration's National Security
Council, Caitlin Hayden, confirmed that an order was being
considered but would not provide details. "We're not commenting
on the elements," Hayden said.
Former White House cybersecurity policy coordinator Howard
Schmidt said the proposed order would also ask DHS to confer
with independent agencies, such as electric regulators and
others that don't answer to the president, to see who would take
responsibility on cybersecurity.
The hope, said Schmidt, who has seen a recent draft, is that
if those agencies won't let DHS act they would do it themselves,
as the Securities and Exchange Commission did in October when it
issued guidance on when companies should disclose cyber attacks.
The Commerce Department and the Pentagon declined to
comment. Spokespeople for Lieberman and for Senator John
Rockefeller, another Democratic leader on the issue who has
asked for an executive order, said their offices had not been
given copies of the draft.
Cybersecurity has become a major issue in Congress and for
the White House, with intelligence officials warning of constant
exploration of protected computer systems by hackers and both
past incursions and the likelihood of more damaging future
attacks on electric plants, banks and stock exchanges.
As of two weeks ago, the planned order did not include any
penalties for companies that fail to adhere to the standards. or
rewards for those who do. "There are no carrots or sticks," one
person with a recent copy said.
If the order emerges before the election in November, it
could become an issue in the campaign. Leading Republicans
faulted the Lieberman bill as too onerous. The U.S. Chamber of
Commerce, which also criticized that bill, declined to comment
on Monday on the merits of a prospective order.
But Lieberman said his bill had been watered down in pursuit
of a compromise and asked in his letter Monday that Obama
explore means for making the standards mandatory.
Both Lieberman and administration officials have said they
will still seek legislation, which could go further in many
ways. It might, for example, provide liability protection for
companies that share information with government officials or
that meet the standards but still get hacked.