On the same day he delivered his State of the Union address, President Obama ordered the U.S. to shore up its cyberdefenses. “We know foreign countries and companies swipe our corporate secrets,” Obama said in the Feb. 12 speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The executive order calls for the U.S. Department of Homeland Security to identify which “critical infrastructure” is vulnerable to a cyberattack that would be catastrophic to the economy and public safety. It comes amid intensifying strikes from Chinese hackers on American corporations and newspapers. Homeland Security is writing standards that will initially be voluntary, but the agency is supposed to push the regulators that oversee the affected industries to adopt the rules as binding.
That’s why telecom and tech lobbyists are trying to shape the definition of what qualifies as “critical.” Does it apply only to the telecommunications, cable, and satellite companies that control the backbone of the Internet? Or should Google (GOOG), Apple (AAPL), Microsoft (MSFT), and other businesses that make digital products also have to spend money to safeguard their systems? “The telecom community is concerned the tech industry is going to get a free pass here,” says David Kaut, a Washington-based analyst with Stifel Nicolaus (SF).
The companies are at odds over a broadly worded passage in Obama’s order that excludes “commercial information technology products or consumer information technology services” from the standards. AT&T (T) and Verizon Communications (VZ) say it’s unfair for makers of smartphone and computer technology to be exempted unfairly. “If e-mail went away this afternoon, we would all come to a stop,” says Marcus Sachs, vice president of national security policy at Verizon Communications. “Hell yeah, e-mail is critical.”
A week after Obama issued the order, Apple said some of its employees’ computers were attacked by malicious software after they visited a website aimed at iPhone developers. Shortly afterward, Microsoft announced that similar malware had infected some of its company computers. Nonetheless, trade groups representing tech manufacturers and Web companies say the cables and fiber that information travels over are more critical than the devices and programs their members make. Obama’s order isn’t meant to “dictate how those products and services behave,” says David LeDuc, senior director of public policy for the Software & Information Industry Association, which represents Google, IBM (IBM), and Oracle (ORCL).
Tech companies argue other countries might take a cue from the U.S. and set up their own cybersecurity guidelines. Multiple sets of regulations might mean manufacturers and Web companies would have to create different products and services for different countries, further increasing costs.
It’s not surprising telecoms don’t want technologies with a vital role in overall security to be left out, says Stewart Baker, a former Homeland Security official and now a partner in Washington at the law firm Steptoe & Johnson. “If you’re attacking people, you go for the weakest link,” he says, “and the weakest link is often some commercial product.”