WASHINGTON (Reuters) - President Barack Obama plans to release a long-awaited executive order aimed at improving the nation’s defenses against cyberattacks as early as Wednesday, according to sources familiar with the matter.
The order, drawn up after Congress failed to pass legislation on the issue last year, is meant to improve the protection of critical industries and infrastructure from cyber intrusions.
Concerns about cyber attacks, which have hit a succession of major U.S. companies and government agencies in recent months, also could be raised by Obama in his annual State of the Union address to Congress on Tuesday evening.
One of the White House’s major goals is to improve information-sharing about attacks among private companies, and between companies and the government.
“Our biggest issue right now is getting the private sector to a comfort level so they can report anomalies, malware, incidents within their network” without undue fear of being “outed” as victims, said FBI Executive Assistant Director Richard McFeely, head of the Criminal, Cyber, Response and Services Branch.
Most cyber security experts say the executive order - which does not have the same force as a law - is a step in the right direction and a sign that Obama wants to show that he takes the problem seriously.
“I think this can fairly be described as a down payment on legislation,” said Stewart Baker, former National Security Agency general counsel and a past assistant secretary for policy at the Department of Homeland Security.
Stewart said he thought the executive order would make a difference in policy and practical terms “but whether it will provide practical protection from cyber attacks is still in doubt.”
The executive order will make it easier for people at private companies to get security clearances so classified information can be shared, according to earlier drafts that were leaked and posted online.
It will also make companies work with the National Institute of Standards and Technology to come up with sector-specific standards for cybersecurity and then will require companies to engage with their regulators to decide how those standards are implemented.
“Companies aren’t going to, at first, be required to do anything. These are voluntary standards, except for a few critical infrastructure companies,” said James Lewis, senior fellow at the Center for Strategic and International Studies.
“If you’re regulated, the regulator will be able to say, ‘Here are some new standards.’ If you’re not regulated you won’t be touched at all.”
Reporting By Steve Holland, Deborah Charles and Joseph Menn. Writing by Warren Strobel; Editing by Cynthia Osterman