The Obama administration is preparing an executive order with new rules to protect U.S. computer systems, after Congress failed earlier this summer to pass a cybersecurity bill. The provisions include voluntary standards for companies, a special council run by the Homeland Security Department and new regulations covering especially vital systems, according to a draft proposal obtained by the Associated Press.
But just weeks before the election, the White House risks complaints that President Obama is anti-business from Republicans and the same pro-business groups that killed the plan on Capitol Hill.
National security officials have warned that electric grids, water plants, banks and other essential industries operated by the private sector are vulnerable to cyberattacks. Yet there are deep divisions over the best approach for keeping hackers and other criminals, foreign governments or terrorist groups from penetrating these systems, which rely heavily on computer networks to remotely control switches, valves and terminals.
Critical infrastructure systems provide services that are part of everyday life. But an enemy with the proper know-how could cause catastrophic damage and chaos by giving the systems incorrect commands or infecting them with malicious software. Potential nightmare scenarios include high-speed trains being put on collision courses, blackouts that last days or perhaps even weeks, or chemical plants that inadvertently release deadly gases.
"If those intruders get into those systems and then can determine how they can in fact interfere in the command and control systems of these systems, they can do things," White House counterterrorism adviser John O. Brennan said last month.
The draft order says it would seek better digital defenses for critical infrastructure while encouraging economic prosperity and promoting privacy and civil liberties. It would create a new critical infrastructure cybersecurity council, which would be run by the Department of Homeland Security and include representatives from the Departments of Defense, Justice and Commerce. The group would submit a report to the president to assess threats, vulnerabilities and consequences for all critical infrastructure sectors.
The order also allows federal agencies to pass new regulations or broaden existing ones, based on recommendations from the Commerce Department's National Institute of Standards and Technology. It would require agencies within 90 days to describe the legal authorities they would use to protect especially important computer systems, define what systems should be covered and determine whether existing regulations are adequate.
A spokeswoman for the National Security Council, Caitlin Hayden, described the order as "one of a number of measures we're considering as we look to implement the president's direction to do absolutely everything we can to better protect our nation against today's cyberthreats." Ms. Hayden declined to comment further on what she described as ongoing internal deliberations.