Draft Order Would Give Companies Cyberthreat Info

FE_DA_0912cyber.security.jpg
Associated Press + More

By RICHARD LARDNER, Associated Press

WASHINGTON (AP) — A new White House executive order would direct U.S. spy agencies to share the latest intelligence about cyberthreats with companies operating electric grids, water plants, railroads and other vital industries to help protect them from electronic attacks, according to a copy obtained by The Associated Press.

[READ: Is Iran Attacking U.S. Banks?]

The seven-page draft order, which is being finalized, takes shape as the Obama administration expresses growing concern that Iran could be the first country to use cyberterrorism against the United States. The military is ready to retaliate if the U.S. is hit by cyberweapons, Defense Secretary Leon Panetta said. But the U.S. also is poorly prepared to prevent such an attack, which could damage or knock out critical services that are part of everyday life.

The White House declined to say when the president will sign the order.

The draft order would put the Department of Homeland Security in charge of organizing an information-sharing network that rapidly distributes sanitized summaries of top-secret intelligence reports about known cyberthreats that identify a specific target. With these warnings, known as tear lines, the owners and operators of essential U.S. businesses would be better able to block potential attackers from gaining access to their computer systems.

An organized, broad-based approach for sharing cyberthreat information gathered by the government is widely viewed as essential for any plan to protect U.S. computer networks from foreign nations, terrorist groups and hackers. Existing efforts to exchange information are narrowly focused on specific industries, such as the finance sector, and have had varying degrees of success.

[GALLERY: Obama, Romney Trade Jokes at Alfred E. Smith Gala]

Yet the order has generated stiff opposition from Republicans on Capitol Hill who view it as a unilateral move that bypasses the legislative authority held by Congress.

Administration officials said the order became necessary after Congress failed this summer to pass cybersecurity legislation, leaving critical infrastructure companies vulnerable to a serious and growing threat. Conflicting bills passed separately by the House and Senate included information-sharing provisions. But efforts to get a final measure through both chambers collapsed over the GOP's concerns that the Senate bill would expand the federal government's regulatory power and increase costs for businesses.

The White House has acknowledged that an order from the president, while legally binding, is not enough. Legislation is needed to make other changes to improve the country's digital defenses. An executive order, for example, cannot offer a company protection from liabilities that might result from a cyberattack on its systems.

The addition of the information-sharing provisions is the most significant change to an earlier draft of the order completed in late August. The new draft, which is not dated, retains a section that requires Homeland Security to identify the vital systems that, if hit by cyberattack, could "reasonably result in a debilitating impact" on national and economic security. Other sections establish a program to encourage companies to adopt voluntary security standards and direct federal agencies to determine whether existing cyber security regulations are adequate.

The draft order directs the department to work with the Pentagon, the National Security Agency, the director of national intelligence and the Justice Department to quickly establish the information-sharing mechanism. Selected employees at critical infrastructure companies would receive security clearances allowing them to receive the information, according to the document. Federal agencies would be required to assess whether the order raises any privacy or civil liberties risks.

[READ: How to Protect Against Identity Theft in College]

To foster a two-way exchange of information, the government would ask businesses to tell the government about cyberthreats or cyberattacks. There would be no requirement to do so.