Warning that US companies are the target of intensive cyber espionage campaigns, President Barack Obama's top security officials say they are struggling to defend the nation from attacks on its most crucial private computer networks and called on Congress to pass legislation that would close regulatory gaps.
The executive order, which Obama signed on Tuesday, relies heavily on participation from US industry in creating new voluntary standards for protecting information. The order also expands the government's effort to share threat data with companies.
But politicians and cyber experts say that Obama's directive is missing what US businesses need most: legal protection so they don't get sued if they acknowledge they've been hacked or share that data with competitors. That can only come from Congress, which hasn't been able to agree on how to protect businesses and consumers alike.
"The government is often unaware of malicious activity targeting our critical infrastructure," said General Keith Alexander, head of the National Security Agency and US Cyber Command.
"These blind spots prevent us from being in a position of helping critical infrastructure defend itself and it prevents us from knowing when we need to defend the nation," Alexander told industry and government officials at the Commerce Department.
In Obama's speech on Tuesday, he said America's enemies are "seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
He added, "Now, Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks."
Obama's executive order has been months in the making and is the product of often-difficult negotiations with private sector companies that oppose any increased government regulation.
While largely symbolic, the plan leaves several practical questions unanswered: Should a business be required to tell the government if it has been hacked and US interests are at stake? Can a person sue her bank or water treatment facility if those companies don't take reasonable steps to protect her? If a private company's systems are breached, should the government swoop in to stop the attacks - and pick up the tab?
Under the president's new order, the National Institute of Standards and Technology has a year to finalise a package of voluntary standards and procedures that will help companies address their cybersecurity risks. The package must include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks.
There also must be incentives the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cybersecurity standards should be considered when the department makes contracting decisions.
The order also calls for agencies to review their existing regulations to determine whether the rules adequately address cybersecurity risks.