President Barack Obama said during his State of the Union address Tuesday that he had signed an executive order aimed at protecting government and businesses from what he called "the rapidly growing threat from cyberattacks."
But the order he signed on Tuesday was significantly weaker than what his administration had proposed two years ago, leaving out a key provision that experts have said was needed to protect the country's most vital computer systems.
Military and intelligence officials have repeatedly warned that malicious hackers could disrupt critical infrastructure with the click of a mouse, causing severe economic loss, sustained blackouts or even mass casualties. But the issue of how to protect the country from a cyber attack has become mired in partisan differences over whether or not to regulate companies.
Much of the country's critical infrastructure -- including power plants, gas pipelines, traffic control systems, and water treatment plants -- is privately owned. And Republicans and business lobbyists have opposed efforts to force those companies to adhere to minimum security standards, saying it was unfair for the government to require them to make costly security improvements. Experts say companies should be required to meet security benchmarks or they won't do them.
The president's executive order says minimum security standards will be voluntary, not mandatory, and companies will receive incentives to follow them.
During his State of the Union address, the president said there was no time to waste.
"We know hackers steal people’s identities and infiltrate private email," Obama said. "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
Many experts still said the executive order would help secure the country's vital computer networks after Congress failed to pass cybersecurity legislation last year.
“It’s a significant step forward, but it won’t be as impactful as legislation itself,” said Tom Kellermann, a former member of the bipartisan Commission on Cyber Security for the 44th Presidency, a non-profit research group.
The executive order also calls for government to share data about cyberthreats with companies. To ease privacy concerns, senior administration officials said the shared information would be limited to cyberthreats -- such as pieces of malicious code on networks -- and would not contain the contents of private emails.
Senior administration officials said the executive order was a "down payment" on what they said they hope will be congressional action this year. "Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," Obama said Tuesday.
But the prospects of legislation remain uncertain. Despite its growing role as a national security issue, cybersecurity has become mired in partisan differences. Last year, Senate Republicans, led by John McCain (R-Ariz.), rejected legislation, siding with business lobbyists who claimed it would have created costly regulations on companies, which operate about 90 percent of critical infrastructure.
The bill's failure was a major political defeat for the Obama administration, which had pushed for cybersecurity legislation in numerous congressional hearings, closed-door briefings with lawmakers and opinion pieces in newspapers.
Last fall, a group of Senate Republicans warned the president that signing an executive order on cybersecurity "will solidify the present divide."
U.S. Rep. Mike Rogers on Wednesday plans to reintroduce legislation that focuses on increasing information-sharing between the private sector and government. That bill passed the House last year despite privacy concerns from the White House and civil liberties groups that said the bill allows companies to share private information about Americans' Internet use with the government.