By David Goldman
Having run out of patience for Congress to act on a cybersecurity bill, President Obama has decided to take matters into his own hands.
Obama signed an executive order on Tuesday addressing the country's most basic cybersecurity needs and highlighted the effort in his State of the Union address.
"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," Obama said.
The order will make it easier for private companies in control of the nation's critical infrastructure to share information about cyberattacks with the government. In return, the Department of Homeland Security will share "sanitized" classified information with companies about attacks believed to be occurring or that are about to take place.
The order also directs the government to work with the private sector on standards that will help protect companies from cybercrime, though there is nothing in the order about how this will be enforced.
This is hardly comprehensive, but at least it's something aimed at protecting our nation's power, water and nuclear systems from attack. That's more than Congress can say it has accomplished. Lawmakers failed to pass any of the dozens of cybersecurity bills aimed at meaningfully securing critical infrastructure from an online criminals.
Meanwhile, the number of attacks on critical infrastructure companies reported to a U.S. Department of Homeland Security cybersecurity response team grew by 52% in 2012, according to a recent report. Several of them resulted in successful break-ins.
While Obama's plan to remedy the problem is a start, critics say it has major limitations that make the order virtually meaningless.
"It doesn't have any teeth; it has no backing," said Rob Beck, critical infrastructure cybersecurity consultant for Casaba Security. "This is not going to have any measurable impact on anything."
Administration officials acknowledged the order's limitations on Tuesday, but insisted the changes will have a meaningful impact.
Unlike Congress, the president alone does not have the power to protect companies from lawsuits when they are engaged in information sharing. Since the data they'd be handing over to the federal government could include private information from customers, companies likely won't share that information without guaranteed protections.
"Businesses have to be good citizens, but they also have to be concerned about their liabilities and interests of their users," said Evan Brown, senior counsel with InfoLawGroup, a law firm focused on digital privacy and cybersecurity issues. "There are all kinds of ramifications if companies are found not to be good protectors of user privacy."
There are also concerns that the government's data won't be revealing enough. Unless the government provides details of where an attack is likely to come from and gives specific information about which systems are likely to be hit, the agencies won't be telling critical infrastructure companies anything they don't already know.
"I've seen sanitized classified documents - I'm not sure how useful they'll be," said Beck. "They'll say your systems are a target, but no one in this field thinks their systems aren't a target."
Despite partisan bickering over how to accomplish the task, virtually everyone agrees the status quo is unacceptable. Today, when companies are breached, most of that information stays internal. Companies don't want to be viewed by their customers, competitors or shareholders as weak on security, so few outsiders find out when a cyberattack has taken place.
Lawsuits and public scrutiny over privacy violations could be damaging, but they'd pale in comparison to the outrage that would ensue if a company failed to prevent a crippling cyberattack. Remember how upset the nation was over a half-hour-long power outage during the Super Bowl?
Best practice guidelines and systems for information sharing are a good start, but barring any carrots and sticks, it's unlikely that the executive order will accomplish much. That's why some are calling on the government to put in place mandatory standards that would put all companies in the same boat.
"Until stringent regulations are put in place, then I don't think we're going to make a lot of progress," Beck said.
The White House agrees. It still wants Congress to give the Department of Homeland Security power to regulate critical infrastructure.
And Congress may move quickly. On Wednesday, House Intelligence Committee Chairman Mike Rogers plans on reintroducing the stalled Cyber Intelligence Sharing and Protection Act, which passed a House vote in April but was never taken up in the Senate. That bill also faced an Obama veto threat over the perceived lack of privacy protections. Rogers believes his revised bill will address those concerns.
- CNN's Jessica Yellin and Pam Benson contributed reporting to this article