Warning that cyberattacks pose a danger to US security, President Barack Obama signed an executive order on Tuesday designed to better protect critical infrastructure from computer hackers.
Obama, in his annual State of the Union speech to a joint session of the US Congress, said the United States is facing a “rapidly growing threat from cyberattacks.”
“We know hackers steal people’s identities and infiltrate private email,” he said. “We know foreign countries and companies swipe our corporate secrets.
“Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems,” Obama added.
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
Obama said his executive order would “strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs and our privacy.”
The president also urged Congress to pass legislation “to give our government a greater capacity to secure our networks and deter attacks.”
The executive order calls for voluntary reporting of threats to US infrastructure, such as power grids, pipelines and water systems.
The directive, which follows two failed attempts in Congress to pass cybersecurity legislation, allows the government to lead an information-sharing network but stops short of making mandatory the reporting of cyber threats.
A senior administration official said the order does not preclude the need for legislation but gets a cybersecurity program started that can encourage sharing information that may be confidential or classified.
The order allows for “sharing of classified information in a way that protects that classified information but enables the broader use of it to protect our critical infrastructure,” the official said.
The White House move came despite criticism from some lawmakers that an executive order bypasses the legislative process.
White House officials noted that the measure would not apply to consumer-based services or information systems that do not meet the standard of “critical infrastructure.”
“It’s about protecting the systems and assets where an attack could have a debilitating impact on our national security,” one official said.
The officials sought to quell concerns the measure could lead to increased surveillance of citizens, and said it requires federal agencies “to carry out these tasks in a way that protects privacy and civil liberties.”
Legislation has stalled on cybersecurity amid opposition from a coalition of civil libertarians who fear it could allow too much government snooping and conservatives who say it would create a new bureaucracy.
US military officials have argued that legislation is needed to protect infrastructure critical to national defense, including power grids, water systems and industries ranging from transportation to communications.
Some lawmakers criticized the president for issuing an executive order instead of working with Congress.
The order “cannot achieve the balanced approach that must be accomplished collaboratively through legislation and with the support of the American people,” said a statement from Republican Senators John McCain, Saxby Chambliss and John Thune.
“We will closely examine the executive order and ensure that there is thorough congressional oversight of any action it directs.”
House Homeland Security Chairman Michael McCaul said he was “concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses and fail to keep pace with evolving cyber threats.”
But the measure also drew praise, including from Michelle Richardson of the American Civil Liberties Union, who said the order “rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties.”
Leslie Harris of the Center for Democracy & Technology welcomed the directive, arguing it “says that privacy must be built into the government’s cybersecurity plans and activities, not as an afterthought but rather as part of the design.”
But the director of George Mason University’s Technology Policy Program Jerry Brito said in a tweet that “top-down regulation is the last thing that will improve cybersecurity.”