After the White House releases the cyber order which it has been crafting over the last several months Carper said he plans to hold a joint hearing with the Commerce and Intelligence committees to discuss the measures included in the order. Carper said he wants to hear from administration officials and stakeholders' feedback as well. "The administration is going to proffer next month an executive order, we think in the second half of February," Carper told The Hill. "I think the smart thing for us to do would be to receive it, to read it, and I raised this as a possibility with [Commerce Committee] Chairman Sen. Jay Rockefeller [D-W.Va.] today: Maybe the relevant committees do a joint hearing ... and invite the administration to come in, explain the executive order, and invite other folks to come in and react to the executive order," Carper said.
The White House began drafting the executive order after Congress failed to pass cybersecurity legislation last year. The administration has argued that the cybersecurity threat facing the United States is too great for it not to take action while Congress grapples with passing legislation. The executive order builds off a section in a cybersecurity bill that was co-sponsored by Rockefeller, Carper and Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Dianne Feinstein (D-Calif.), which was ultimately blocked by Senate Republicans. The cyber order would create a voluntary program in which companies operating crucial infrastructure would agree to meet a set of cybersecurity standards developed, in part, by the government.
The administration was expected to issue the executive order this month, but it's been kept under wraps. White House Cybersecurity Coordinator Michael Daniel and other administration officials have engaged in an outreach effort with various industry groups, such as the U.S. Chamber of Commerce and the National Cable and Telecommunications Association, over the last few months to receive their feedback about what should be included in the cyber order. A White House spokeswoman declined to comment on the timing of the executive order.
Read more: Carper: Expect White House cyber security order after State of the Union - The Hill's Hillicon Valley
Daniel said new regulations could be needed to create a backstop to address security gaps in the computer systems and networks of the nations water systems, electric grid and other critical infrastructure. Some observers have said the administrations order, issued earlier this month, lacks teeth because the bulk of its measures are voluntary. The order creates a program led by the Homeland Security Department where critical infrastructure operators would join on a voluntary basis and agree to follow a set of cybersecurity best practices and standards crafted jointly by the Commerce Department and the industry.
But Daniel noted that a key part of the order directs primary regulators including the Treasury and Energy departments to review their current regulations and requirements and align them with the standards included in the cybersecurity framework developed by the Commerce Departments National Institute of Standards and Technology. That could result in the agencies taking new executive actions or crafting updated regulations to bring their rules up to speed with the framework. Theyre to compare their current requirements and regulations against that framework, and if they are not sufficient and the companies [are] not participating in the voluntary program for whatever reason, that those regulators could take action to try to bring their requirements and regulations up to the level of the framework, Daniel told The Hill in an interview at the RSA cybersecurity conference. I think from the administrations perspective, we view that as kind of the backstop. This is very significant stuff, and I think the president believes ... we need to have that backstop to make sure that were getting the cybersecurity of that critical infrastructure up to the level of the framework, he added.
The U.S. Chamber of Commerce criticized the executive order when it was issued, saying that it opposes the expansion or creation of new regulatory regimes. But the White House cybersecurity chief said this section of the cyber order is needed to help critical infrastructure thwart cyberattacks that could lead to catastrophic damage in the physical world. In the near term, the White House will focus on overseeing the implementation of the measures in the executive order, while it is also working on a set of legislative principles to help guide Congresss work on cybersecurity legislation.
Daniel said the principles will be similar to those outlined in the cybersecurity legislative proposal the administration delivered to Congress in May 2011, such as stiffening criminal statutes for cyber crime and creating a national data breach notification law that tells companies when they need to report a security breach to the government. He said the forthcoming set of principles will not include bill text, but will reaffirm the administrations support of the 2011 legislative proposal. In Washington, the administration and Congress are engaged in an intense debate about the looming $85 billion automatic budget cuts. Daniel warned that the cuts will affect cybersecurity programs across the federal government and potentially the implementation of the executive order.
Read more: Obama cybersecurity chief warns further regulations may be required - The Hill's Hillicon Valley
The Subcommittee on Europe, Eurasia and Emerging Threats has called on the Obama administration to do more than just issue stern warning statements to China and other nations. Subcommittee chairman Dana Rohrabacher was among the lawmakers who said that what we are now seeing is more than just individual acts of corporate espionage. "China, Iran, North Korea and Russia have all used cyber attacks aimed at strategic infrastructure targets," said Rohrabacher. "Targets that would be attacked in another way if there was a war."
Chairman of the Subcommittee on Europe, Eurasia and Emerging Threats Dana Rohrabacher.
Rohrabacher, a Republican from California, said President Barack Obama needs to do more than just raise the issue with Chinese leaders. He says the president needs to spell out what consequences cyber attacks will have. Ranking member William Keating, a Democrat from Massachusetts, believes an international cyber security framework is needed. "Further, the Internet is an open international domain, and cyber crimes clearly go beyond traditional law enforcement models," said Keating. "For this reason, national policies are incomplete without firm, international, cyber security standards and norms between like-minded allies."
Several of the lawmakers and witnesses said they feel the Chinese government, in particular, is getting away with the large-scale theft of U.S. intellectual property and other cyber attacks without facing any consequences. "The Chinese government cannot think of enough things to do with the money that they have been earning from the economic warfare that they have been executing against the United States," said Greg Autry, senior economist with the Coalition for a Prosperous America. Senior Obama administration officials said they have made it clear to China and other countries that cyber attacks must end. The Chinese government has said that it is a victim, and not a perpetrator, of cyber attacks.