The Obama Administration continues to send signals that an executive order addressing critical infrastructure cybersecurity is imminent, but there still had been no formal announcement from the White House as of mid-October.
Speculation that the administration would issue an executive order on the topic ramped up in August after the Senate failed to pass comprehensive cybersecurity legislation backed by the White House and Democratic leaders. Dubbed the “Cybersecurity Act” (S. 3414), the bill encountered opposition from Republicans who questioned provisions that would have allowed federal agencies to impose government-crafted “voluntary” cybersecurity standards on drinking water facilities and other critical infrastructure assets in the form of binding, mandatory regulations. Following the failure to pass the bill, advocates began to urge President Obama to enact some portions of the proposal through executive action that does not require congressional approval.
More details emerged when DHS Secretary Janet Napolitano testified before the Senate Homeland Security and Governmental Affairs Committee on September 19. Napolitano said that an executive order intended to boost cybersecurity at the nation’s water systems and other critical infrastructure assets was “close to completion,” though at that point the draft was still in the midst of interagency review. Secretary Napolitano went on to say that the executive order would be more limited in scope than the legislation, but would create a voluntary program through which companies that operate critical infrastructure could choose to meet a set of security standards developed by the government in partnership with the private sector. But because the executive order would only be able to encourage – not require – critical infrastructure owners and operators to participate, Napolitano said the administration would continue to support further congressional action on the topic.