President Barack Obama on Tuesday issued an executive order to strengthen the cyber security of the nation's critical infrastructure, which raises questions about the order's impact on business, say observers.

The order requires federal agencies to produce unclassified reports of threats to U.S. companies, with the reports to be shared with targeted entities in a timely manner. It also expands the federal Enhanced Cybersecurity Services Program to enable sharing cyber threat information to assist critical infrastructure companies in their cyber protection efforts.

In addition, the order calls for the National Institute of Standards and Technology to work collaboratively with critical infrastructure shareholders to develop a cyber security framework, according to the White House.

In his State of the Union address on Tuesday, President Obama talked about the issue of cyber security.

“America must also face the rapidly growing threat from cyber attacks. Now, we know hackers steal people's identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” he said.

“And that's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs, and our privacy,” the president continued. “But now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should be able to get done on a bipartisan basis.”

%%BREAK%%

The executive order comes after Congress' failure to pass significant cyber security legislation to date.

In April, the U.S. House of Representatives voted to approve the Cyber Intelligence Sharing and Protection Act, H.R. 3523, but the Obama administration sharply criticized the bill and threatened to veto it if it received congressional approval. The administration said the bill failed to ensure that the nation's core critical infrastructure is protected, and that it would repeal important electronic surveillance law provisions but have no corresponding privacy safeguards. The bill, which was not approved by the Senate, is expected to be reintroduced in Congress on Wednesday.

Commenting on the executive order, Gerald J. Ferguson, a partner with law firm Baker & Hostetler L.L.P. in New York, said it is hard to say what the executive order means because most of its key provisions are “very vague,” but the context of the order is Congress' failure to pass H.R. 3523. Mr. Ferguson said its passage broke down over three issues: business groups' resistance to specific government security standards; civil liberty concerns about sharing information about cyber security threats; and the companies' potential liability limitations.

The executive order is “effectively putting all these issues out there without offering a solution, but instead saying, 'We want the relevant agencies to investigate these issues'” and either come back with a solution or ways to develop better standards for sharing information “while addressing the concerns that were raised in connection with the legislation,” said Mr. Ferguson.

%%BREAK%%

New York-based Baker & Hostetler partner Theodore Kobus III said there are concerns about whether disclosure of information under the executive order will be consistent with U.S. Securities and Exchange Commission disclosures; whether information will be disclosed to competitors, criminals or hacktivists; and whether noncompliance with government requests for information will result in companies being considered nonpreferred vendors for government contracts or subject to increased regulatory scrutiny, among others.

Jim Whetstone, Chicago-based senior vice president for global errors and omissions in the global markets at Hiscox USA, said while there are no apparent mandatory requirements in the executive order for business, its impact on insurance “remains to be seen.”

In a speech on the executive order Wednesday, Department of Justice Deputy Attorney General James M. Cole said, “Under the executive order, each federal department and agency is required to develop and implement privacy and civil liberties safeguards in concert with cyber security activities.”

The Washington-based American Civil Liberties Union said in a statement issued Wednesday: “Unlike legislation that will be introduced into the House (Wednesday), the president's executive order seeks to protect Americans' digital privacy when information-sharing occurs.”