Taking matters into his own hands after the U.S. Congress failed to pass the Cybersecurity Act of 2012 this summer, President Obama appears to be preparing an executive order aimed at protecting critical national infrastructure, including power plants, and natural gas and crude pipelines, from cyber attacks.
According to a draft of the order obtained by the Associated Press, the new rules propose security standards for critical infrastructure and create a council of federal agencies that would report to the president on cyber threats.
In July Obama called on the Senate to pass comprehensive legislation aimed at protecting the United States from a computer-based attack, which could cripple the infrastructure of the country (see NGI, July 23). In an opinion piece published in the Wall Street Journal, Obama said hackers had penetrated computer networks of companies that operate natural gas pipelines, and that "computer systems in [other] critical sectors of our economy -- including the nuclear and chemical industries -- are being increasingly targeted."
The Cybersecurity Act of 2012, which was proposed by Sen. Joseph Lieberman (I-CT) and four co-sponsors, was defeated in the Senate in August when it failed to gain the 60 votes necessary in a 52-46 vote.
The Associated Press said the draft order would seek better digital defenses for critical infrastructure while encouraging economic prosperity and promoting privacy and civil liberties. A new critical infrastructure cybersecurity council would be run by the Department of Homeland Security (DHS) and include representatives from the Defense, Justice and Commerce departments, as well as National Intelligence. This group would present reports to the president assessing threats, vulnerabilities and consequences for all critical infrastructure sectors. The council would also work with the private sector.
The draft executive order would also allow federal agencies to propose new regulations or broaden existing ones, based on recommendations from the Commerce Department's National Institute of Standards and Technology.
While the legislation petered out this summer in Congress, the topic has been gaining momentum in other circles. Last week at a gathering at the National Press Club in Washington, DC, FERC Chairman Jon Wellinghoff told reporters that the nation's energy infrastructure remained vulnerable to ongoing cyber attacks and the government was powerless to do anything about it (see NGI, Sept. 10).
Wellinghoff said he and Joseph McClelland, who directs electricity reliability for the Federal Energy Regulatory Commission (FERC), have communicated with the DHS and "any other agency that will listen to us" about the need for improved cybersecurity for energy facilities, but with no clear chain of command, the issue appears to have stalled.
"I've said this for six years now, and I've also said I don't care who has the authority, but Congress should give somebody the authority," he said. "It could be me, it could be DHS, it could be DOE [the Department of Energy], it could be whoever -- it could be a cyber-czar in the White House -- I don't care who has the authority, just give it to somebody so we can do something. Because we do get reports on a periodic basis of things that are happening out there that are very concerning to me."
In testimony before a House Committee on Homeland Security subcommittee last week, McClelland said current reliability standard procedures and the definition of the term "bulk power system" -- which does excludes Alaska, Hawaii and all local distribution facilities, "including those facilities connected to defense infrastructure" -- handicap the government's ability to quickly and efficiently implement measures to protect the electric grid from cyber attacks and other threats.
The DHS in May reported that there had been an "active series" of cyber attacks on gas pipeline companies' computer networks since last December (see NGI, May 14). DHS said it was working with the FBI and other federal agencies, as well as pipelines, to identify the cyber intruders.
Intelligence Press Inc. All rights reserved. The preceding news report
may not be republished or redistributed, in whole or in part, in any
form, without prior written consent of Intelligence Press, Inc.