President Barack Obama's executive order to strengthen the cyber security of the nation's critical infrastructure leaves many private-sector businesses with unanswered questions regarding its effect on them, experts say.

The order, issued in February, requires federal agencies to produce unclassified reports of threats to U.S. companies that will be shared with targeted entities in a timely manner. It also expands the federal Enhanced Cybersecurity Services program to enable sharing cyber threat information to assist critical infrastructure companies in their cyber protection efforts.

In addition, the order calls for the National Institute of Standards and Technology to work collaboratively with critical infrastructure shareholders to develop a cyber security framework within the next year.

Meanwhile, experts warn the passage of the proposed Cyber Intelligence Sharing and Protection Act could make the executive order moot. Although the Act recently passed the House, it slowed in the Senate and is under committee review.

“There are basically three categories of business that could be impacted to varying degrees” by the executive order, said David N. Fagan, a partner with law firm Covington & Burling L.L.P. in Washington.

“The first and most direct is companies that operate critical infrastructures,” he said. “The second category is companies that do not have critical infrastructure, but are in sectors that are regulated by the federal government.” The third category is other businesses, where the executive order's effect is “going to be more attenuated,” he said.

“It's important to have the federal government mobilize around what it can do to help the critical commercial infrastructure,” said Harriet Pearson, a partner with Hogan Lovells US L.L.P. in Washington. Ms. Pearson said the order is “not trying to solve everything around cyber security. It's aiming at what are the most important parts of the digital infrastructure that are in the private sector's hands. That's a very big subject.”

Shellye Archambeau, CEO of Palo Alto, Calif.-based consulting firm MetricStream Inc., said the executive order's call for a framework “so that we can establish the right way in which government and the public and private sectors can come together on this matter” is positive.

%%BREAK%%

Ms. Archambeau said she has feared there will be a major cyber security breach and then a “knee-jerk reaction because of pressure and public outcry, and we will not be able to take the time to be as thoughtful as we will need to be to protect privacy.” Because of this, Ms. Archambeau said, “it's important that we spend the time now to get it right.”

Ms. Pearson said a couple of the questions arising from the executive order are “what constitutes a critical infrastructure and the process by which it will be defined” and the process through which companies are included in that category, which may be of concern to businesses. “The hope is that the process is a good one,” she said.

Toby Merrill, Philadelphia-based vice president of Ace Professional Risk, part of Ace Ltd., said there are many sectors that “may not have thought of themselves as critical infrastructure that are now going to be falling under the direction of this order,” such as financial services firms.

“The first thing I would do if I were sitting in the shoes of any organization that looks at this” is determine whether it “falls within the umbrella of what's defined as critical infrastructure, and that definition is broader than I've ever seen it before,” he said, noting the executive order lists 16 sectors. “To me, that's a real eye opener,” Mr. Merrill said.

Mr. Merrill said the question that arises is, “What does it mean if a firm is now considered part of the critical infrastructure and the repercussions if it does not provide information to the government?” Organizations must plan ahead, he said, “because it is not something any organization can flip a switch on and be prepared. These things take time. There's writing of policies and procedures within an organization that can't be implemented very quickly.”

Business is also concerned that a “check-the-box standard” will develop that “may or may not improve security. People will be watching and hoping that what emerges will be something useful from that process,” Ms. Pearson said.

Referring to the executive order's information-sharing provision in cases where the federal government learns companies are the target of cyber threats, Lisa J. Sotto, a partner with Hunton & Williams L.L.P. in New York, said businesses “will not be able to sit idle and just absorb the information.”

“I think it's critically important for companies to take action in this area because we are being overrun by cyber threats and cyber attacks,” she said.

%%BREAK%%

Chris Bronk, a fellow of information technology at Rice University in Houston, said he was concerned about the lack of funding behind the executive order.

“If you don't put any resources behind it, how are you going to get anything done? The executive order says there should be a lot more sharing going on,” Mr. Bronk said. “How do you build the apparatus” to accomplish this? “Who's going to pay for it, and how's it going to work?”

Mr. Bronk said the more due diligence companies embark on now, the less of a struggle they will have in dealing with what comes down from Washington.

“Individual organizations need to confront this problem and put resources behind it, and industries need to coalesce task forces, information sharing organizations and technical working groups around this set of problems,” he said.

Ms. Pearson said, however, that as an executive order, rather than legislation, the order has “limited statutory authority” and cannot, for example, limit organizations' liability.

Ms. Sotto said the executive order can have “a pretty significant impact or none at all, depending on when legislation happens, because legislation could make it moot.”

“It's been clear for a long time now that President Obama is very focused on this issue and is frustrated by the inability of Congress to rally around the issue, so I see the executive order, really, as a throwing down of the gauntlet in front of Congress to say, "It's time,'” he said.