The Obama administration is weighing plans to use its executive power to press U.S. businesses to better protect critical industries from potentially crippling computer attacks, after Congress failed to pass such legislation last week.
President Barack Obama may use his authority to issue orders compelling or encouraging private industry to meet minimum security standards to protect their computer networks from attacks by hackers or foreign governments, White House counterterrorism adviser John Brennan said Wednesday.
“One of the things that we have to do in the executive branch is to see what we can do to maybe put additional … guidelines or policy in place under executive branch authorities,” Brennan told the Council on Foreign Relations. “If the Congress is not going to act on something like this, then the president is going to do everything possible.“
His comments reflect escalating U.S. worries about the persistent computer network probes, attacks and industrial espionage that already have stolen billions of dollars in high-tech data from U.S. companies and could eventually shut down critical water or power plants.
A fierce lobbying effort by businesses and the U.S. Chamber of Commerce stalled legislation in the Senate, even after authors revised the bill so that it called for voluntary participation by companies, rather than creating new regulations and mandates.
Brennan said the White House was looking at possible additional guidelines or changes in policy, but he did not indicate whether such measures would require industry participation or use incentives to encourage voluntary action.
“We're going to keep pushing on the Congress, but we're also going to do what we can under executive branch
authorities,” he said.
Security against cyberattacks is a big deal these days
The Senate cyberattack legislation initially had given the federal government new authority to require businesses to protect their networks, but there was widespread opposition to the idea of expanding federal regulatory powers during tough economic times.
The revised bill offered incentives, such as liability protection and technical assistance, to businesses that voluntarily participated in a government-managed computer security program. Industry associations and groups would be involved in developing the standards needed to blunt the risks of computer attacks, according to the revised legislation.
Industry groups, however, said voluntary standards would lead to mandates. The U.S. Chamber of Commerce and other congressional Republicans support a competing bill drafted by Sen. John McCain, R-Ariz., that is similar to legislation passed by the House in late April. Those bills are focused only on the sharing of threat information between the federal government and private sector. The White House threatened to veto the House bill, however, over concerns the bill didn't do enough to protect privacy rights.
“I think the administration is seriously frustrated over the lack of congressional action and may decide they have no choice” but to act administratively, said Roger Cressey, who served as a cybersecurity and counterterrorism adviser in the Clinton and George W. Bush administrations.
Cressey, now a senior vice president at the Booz Allen Hamilton consulting firm, said the administration was weighing a number of options, including offering incentives, such as liability protection, to entice industry to opt-in to voluntary computer security standards. He said there likely would be more conversations about the issue after Congress returns in September before the White House takes any action.
Senate leaders have said they will take another stab at passing the computer security bill in September. But at least one of
the bill's authors, Sen. Susan Collins, R-Maine, voiced concern about the impact of White House action.
“Given the threat, I understand the administration's desire to act, but an executive order should not be a substitute for legislative action,” Collins said. “I am deeply disappointed that the Senate failed to pass our bipartisan bill before the August recess, but it remains imperative that this Congress address this issue. An executive order could send the unintended signal that congressional action is not urgently needed.“
Sen. Joe Lieberman, I-Conn., who also is one of the authors, noted that there were some provisions that could only be done by statute. But, he added, “If Congress cannot get its act together to protect our nation from the real, urgent and growing threat of cyberattack, then the president must do everything he can by executive order.“
It's not clear whether the threat of executive action could trigger greater support for the bill or whether it merely would coalesce opposition.
Top military, intelligence and national security officials have ramped up their warnings to Congress and the American public about the dire cyber threats the U.S. is facing, and the fact that it will only get worse.
Defense Secretary Leon Panetta has described the threat as the next Pearl Harbor. And intelligence officials issued a landmark report late last year charging China and Russia with methodically stealing high-tech data from U.S. companies in order to boost their own economies.
The next step, according to experts, is hackers, criminals, terrorists or enemy nations taking down critical U.S. industries with computer viruses. More than 80 percent of the country's critical infrastructure, which includes financial networks, transportation systems and chemical plants, are owned and operated by the private sector.
And experts contend that while some industries, particularly the financial sector, have taken steps to protect their networks, others have not done enough.
“I think we are stuck in a `Groundhog Day' movie where we're having the same conversation and nothing is changing,” Cressey said. “At the end of the day, the American people should be asking themselves if critical infrastructure is not secure enough, what action should be taken to make it more secure? And whether or not it's an executive order or legislation, something needs to be done.“