Does Obama need to step in to protect power grids from cyberattack?

Congress appears gridlocked on a cybersecurity bill to protect power grids and other critical infrastructure, so President Obama is considering an executive order. 

|
Rick Wilking/REUTERS/File
The Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colo., is seen as a model for how power grids, communications, water utilities, financial networks should be shielded from cyberattack.

With Congress apparently deadlocked on cybersecurity legislation, the Obama administration is actively weighing an executive order that would give federal agencies authority to begin protecting computer networks that control the nation's critical infrastructure – such as power grids, refineries, and water facilities – against cyberattack.

An executive order could not be as sweeping as congressional legislation, but top Democrats are increasingly urging President Obama to take whatever action he can, sensing that compromise on a bill currently in the Senate looks unlikely in the near term. 

The order could help the Department of Homeland Security (DHS) better protect federal networks, as well as establish a system of information sharing on potential threats among federal government agencies and private companies. But the participation of private companies would be voluntary, and many might be loath to submit their networks to testing by DHS without the promise of protection from financial liability in the event of a devastating cyberattack – something possible only in a congressional bill.

Indeed, an executive order would involve complications, sources say. 

"They're meeting on this right now, thinking about what would actually be included in such an order," says one source familiar with the meetings, but who spoke with the Monitor only on condition of anonymity.

"One obstacle is that DHS wants more authority than it has, but since there's limited authority in the law for DHS – and [Obama] can't just make it up," the source adds. "Still, there are voluntary measures and incentives that could be implemented."

On Aug. 2, the Senate passed cybersecurity legislation, 52 to 46, but 60 votes are needed to circumvent a filibuster, meaning Republicans can delay the bill indefinitely. Republicans worry that the bill would give the government undue influence over private businesses. Now, as the Senate's fall break approaches, intense legislative negotiations are continuing behind the scenes in a last-minute bid to pull together a compromise. But with any such effort likely to go down to the wire, the White House is pushing ahead, too.

Ideas about what might be in the order are starting to emerge.

The goal would be to have “a near-real-time common operating picture” for threats to critical infrastructure and “strong cooperation” between the government and companies, especially energy and communications companies, according to a draft document now circulating in the White House, Bloomberg reports.

At the same time, DHS would defend federal and nonmilitary networks and coordinate efforts to protect private-sector networks. 

"One thing an executive order would help with is giving DHS the ability to really protect federal networks," says Andrew Cutts, former cybersecurity policy director at DHS. "It has some authority, but needs more."

Still, problems remain – like how legally to go about sharing detailed classified information more broadly among companies.

"The bigger problem is how to protect critical infrastructure outside the federal government," says Mr. Cutts. "It's possible the president could require government agencies to draft a set of voluntary cyberstandards for critical infrastructure owners and operators to follow."

Under the bill in the Senate, operators of natural-gas pipelines, refineries, water-supply systems, and other vital assets would voluntarily submit their computer networks to testing by the DHS. In return, they would get protection from financial liability.

But an executive order would not be able to grant liability exemption, so it could be difficult for DHS to persuade private computer networks – which control 85 percent of the nation's critical infrastructure – to cooperate. The National Security Agency and Pentagon – two federal entities with cutting edge cyber expertise – also have no direct legal authority directly to protect those private networks.

Yet senators say something needs to be done.

"I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack," said Sen. Dianne Feinstein (D) of California in a letter to Mr. Obama Tuesday. "While an Executive Order cannot convey protection from liability that private sector companies may face, your Administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security."

Sen. John Rockefeller (D) of West Virginia has also implored Obama to act.

There are signs that the senators' advice is falling on receptive ears.

"One of the things that we need to do in the executive branch is to see what we can do to maybe put additional guidelines and policies in place under executive-branch authority," John Brennan, the president's to counterterrorism adviser, said in remarks to the Council on Foreign Relations on Aug. 8.

"I mean if the Congress is not going to act ... then the president wants to make sure that we are doing everything possible," he said.

How much do you know about cybersecurity? Take our quiz.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Does Obama need to step in to protect power grids from cyberattack?
Read this article in
https://www.csmonitor.com/USA/2012/0831/Does-Obama-need-to-step-in-to-protect-power-grids-from-cyberattack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe