The order, released as Obama began his State of the Union speech to Congress, directs the government to develop a voluntary program of cybersecurity standards for companies operating critical, privately owned infrastructure. It instructs federal agencies to consider putting those standards into existing regulations for businesses.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air-traffic-control systems.”
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” Obama said.
The executive order expands a government program for sharing classified threat data with defense contractors and Internet-service providers to include infrastructure owners and the companies that provide them with network security.
Cybersecurity has gained renewed national attention in recent weeks with revelations about a security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other news organizations attributed to Chinese hackers, and a wave of denial-of-service attacks that disrupted the websites of U.S. banks.
Obama has said infrastructure such as nuclear plants and railway systems that serve millions of people are vulnerable to hacking and require greater protection. U.S. officials have urged stronger steps to counter cyber espionage by China, saying in a November 2011 report that Chinese hackers are jeopardizing an estimated $398 billion in research investments by companies, universities and government agencies.
A 2012 Bloomberg Government study concluded that companies including utilities, banks and telephone carriers would have to increase spending nine-fold to achieve the highest attainable level of cybersecurity. The study by the Traverse City, Michigan-based Ponemon Institute, based on interviews with technology managers at 172 U.S. companies and government agencies, concluded they would have to spend $46.6 billion to stop 95 percent of attacks.
The administration has been drafting the executive order for months, seeking to implement some provisions of proposed Senate legislation blocked by Republicans last year.
Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, opposed the Obama-backed Senate bill last year, saying its system of voluntary standards would amount to de facto government regulation that would burden industry and fail to keep current with evolving hacker techniques.
Security companies including Sourcefire, Palo Alto Networks Inc. of Santa Clara, California, and EMC Corp.’s RSA division, stand to benefit, Cummins said. EMC is based in Hopkinton, Massachusetts.
Obama issued a separate policy directive today ordering the government to review its security strategies for critical infrastructure.
In his State of the Union speech, Obama said Congress must still act on cybersecurity, “to give our government a greater capacity to secure our networks and deter attacks.”
House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, and the panel’s top Democrat, C.A.“Dutch” Ruppersberger of Maryland, have said they plan to reintroduce a cybersecurity bill tomorrow. The measure, which passed the House last year, offers legal protection for companies that share cyber threat information with each other and the government, and makes it easier for the government to pass classified threat data to the private sector.
The Rogers-Ruppersberger bill, which doesn’t impose or suggest standards for companies, earned a veto threat last year from the Obama administration, which said it didn’t do enough to protect critical infrastructure or the privacy of personal data that might be shared by companies.
“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties,” Michelle Richardson, legislative counsel for the American Civil Liberties Union, said in an e-mail.
The ACLU opposes the Rogers bill, which “allows companies to share sensitive and personal American Internet data with the government, including the National Security Agency and other military agencies,” Richardson said.
Obama in October signed a separate directive authorizing the NSA and military units to take more aggressive action to defeat attacks on government and private computer systems.
The order may drive shares of network-security companies higher, said Daniel Cummins, an analyst from B. Riley & Co. in New York. Sourcefire Inc., a security provider for government agencies and companies, rose the most in more than three months today on anticipation of Obama releasing the order.
Sourcefire, which sells hardware and software that works from inside a network to detect intrusions and limit their risk, advanced 7.4 percent to $43.06 for the biggest one-day gain since Nov. 1. The Columbia, Maryland-based company had declined 15 percent this year through yesterday, while the Standard & Poor’s 500 Index increased 6.4 percent.
Obama’s executive order directs the National Institute of Standards and Technology, part of the U.S. Commerce Department, to develop cybersecurity standards for infrastructure companies. The Homeland Security Department will then work with federal agencies and industry on a voluntary program for companies to adopt the standards.
Under the order, the government will make recommendations on incentives for infrastructure owners to take part in the voluntary standards; expedite security clearances for personnel from critical-infrastructure companies; and study the merits of creating preferences in federal contracting for vendors who meet cybersecurity standards.