RPT-White House said to plan executive order on cybersecurity

Joseph Menn

* Draft order includes elements of leading Senate measure

* Officials envision cooperative security ties with industry

* Current draft order said to have 'no carrots or sticks'

SAN FRANCISCO, Sept 24 (Reuters) - The White House is

preparing to direct federal agencies to develop voluntary

cybersecurity guidelines for owners of power, water and other

critical infrastructure facilities, according to people who

said they had seen recent drafts of an executive order.

The prospective order would give the agencies 90 days to

propose new regulations and create a new cybersecurity council

at the Department of Homeland Security with representatives from

the Defense Department, Justice Department, Director of National

Intelligence and the Department of Commerce, a former government

cyber-security official told Reuters.

"It tells those who have the ability to regulate to go forth

and do so," said the person, who is currently outside the

government and spoke on condition of anonymity in order to

preserve access to government officials.

The draft executive order includes elements of what had been

the leading cybersecurity overhaul bill in the Senate, which was

defeated this summer amid opposition from industries opposed to

increased regulation.

Senate Homeland Security Committee Chairman Joe Lieberman,

an independent and one of the principal authors of that bill, on

Monday urged the White House to issue such an order.

"The Department of Homeland Security has clear authority, if

directed by you, to conduct risk assessments of critical

infrastructure, identify those systems or assets that are most

vulnerable to cyber attack and issue voluntary standards for

those critical systems or assets to maintain adequate

cybersecurity," Lieberman wrote to President Barack Obama.

The document has been circulating among the agencies and

might go to top officials for their comments as soon as this

week, another person involved in the process said.

A spokeswoman for the administration's National Security

Council, Caitlin Hayden, confirmed that an order was being

considered but would not provide details. "We're not commenting

on the elements," Hayden said.


Former White House cybersecurity policy coordinator Howard

Schmidt said the proposed order would also ask DHS to confer

with independent agencies, such as electric regulators and

others that don't answer to the president, to see who would take

responsibility on cybersecurity.

The hope, said Schmidt, who has seen a recent draft, is that

if those agencies won't let DHS act they would do it themselves,

as the Securities and Exchange Commission did in October when it

issued guidance on when companies should disclose cyber attacks.

The Commerce Department and the Pentagon declined to

comment. Spokespeople for Lieberman and for Senator John

Rockefeller, another Democratic leader on the issue who has

asked for an executive order, said their offices had not been

given copies of the draft.

Cybersecurity has become a major issue in Congress and for

the White House, with intelligence officials warning of constant

exploration of protected computer systems by hackers and both

past incursions and the likelihood of more damaging future

attacks on electric plants, banks and stock exchanges.

As of two weeks ago, the planned order did not include any

penalties for companies that fail to adhere to the standards. or

rewards for those who do. "There are no carrots or sticks," one

person with a recent copy said.

If the order emerges before the election in November, it

could become an issue in the campaign. Leading Republicans

faulted the Lieberman bill as too onerous. The U.S. Chamber of

Commerce, which also criticized that bill, declined to comment

on Monday on the merits of a prospective order.

But Lieberman said his bill had been watered down in pursuit

of a compromise and asked in his letter Monday that Obama

explore means for making the standards mandatory.

Both Lieberman and administration officials have said they

will still seek legislation, which could go further in many

ways. It might, for example, provide liability protection for

companies that share information with government officials or

that meet the standards but still get hacked.

By using Yahoo you agree that Yahoo and partners may use Cookies for personalisation and other purposes