Obama to Issue Cybersecurity Executive OrderDesigned to Encourage More Private Sector Information Sharing
President Obama has gone to Silicon Valley to pitch his cybersecurity agenda and issue an executive order to encourage more private sector information sharing.
The executive order, according to a White House announcement, would encourage the development of information sharing and analysis organizations, or ISAOs, to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. Existing information sharing and analysis centers, or ISACs, could constitute ISAOs under the president's framework.
In encouraging the creation of ISAOs, the administration hopes to expand information sharing by encouraging the formation of "communities" that share information across a region or in response to a specific emerging cyberthreat. An ISAO could be a not-for-profit community, a membership organization or a single company facilitating sharing among its customers or partners. The executive order also would:
- Develop a common set of voluntary standards for information sharing organizations;
- Streamline private-sector companies' access to classified cybersecurity threat information; and
- Simplify the process for the National Cybersecurity and Communications Integration Center to enter into information sharing agreements with ISAOs to ensure "that robust, voluntary information sharing continues and expands between the public and private sectors."
The White House hopes the proposals will assuage ongoing privacy concerns related to how the government will collect threat-related information, and how such information might get used by U.S. intelligence agencies, while giving businesses some of the liability protection they've been demanding, in return for sharing threat-related information.
"We believe that by clearly defining what makes for a good ISAO, that will make tying liability protection to sectorial organizations easier and more accessible to the public and to privacy and civil liberties advocates," White House cyber coordinator Michael Daniel told reporters during a Feb. 12 conference call, Reuters reports.
Still, many experts believe the executive order cannot provide liability protection to businesses that share cyberthreat information; only a new law can furnish those safeguards. Without such protection, some businesses might not have the incentive to share cyberthreat information.
Obama is scheduled to deliver the keynote speech at the Feb. 13 White House Summit on Cybersecurity and Consumer Protection at Stanford University, which will touch on a range of cybersecurity-related domains, including improving businesses' information security practices, fostering greater threat information sharing, as well as promoting the use of more secure - and thus hack-resistant - payment systems.
Obama has pitched the day-long summit as a way "to bring everybody together - industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students - to make sure that we work through these issues in a public, transparent fashion." And the agenda for the invitation-only summit includes speeches from the heads of multiple, big-name U.S. firms, ranging from Apple and American Express to Kaiser Permanente and MasterCard. Homeland Security Secretary Jeh Johnson and Commerce Secretary Penny Pritzker are also scheduled to address the summit.
But some top technology executives are sitting out the event - and a private lunch with Obama - despite having been invited. While Apple CEO Tim Cook plans to attend, the leaders of Facebook, Microsoft, Google and Yahoo said they will send their chief information security executives instead, Bloomberg reports.
That such high-profile executives are declining to meet with Obama at Stanford University - in the heart of Silicon Valley - reflects the extent to which relations between the White House and leading U.S. technology firms have remain frayed since former U.S. National Security Agency contractor Edward Snowden's leaks exposed the extent to which U.S. intelligence agencies were directly tapping those businesses' systems, for example through the PRISM metadata-gathering program.
Tensions are being exacerbated by calls from the administration for the makers of mobile devices to give intelligence agencies and law enforcement keys to unlock encryption being built into Apple's iPhone and Google's Android phones to they can go after terrorists and criminals (see Obama Sees Need for Encryption Backdoor). The tech companies also object to the restrictions placed on them on publicizing secret government requests for customer information under the Foreign Intelligence Surveillance Act (see U.S. Requests for Customer Data Revealed).
Call for Action
While White House cybersecurity credibility arguably remains shaky following those intelligence revelations, the administration is nevertheless being called upon to do something about the seemingly nonstop spate of data breaches - at Target, Home Depot, Anthem and beyond - that have been pummeling U.S. businesses and consumers.
The White House has threatened to veto previous Congressional attempts to pass information-sharing legislation, saying they lacked sufficient privacy safeguards, while granting overly broad liability protections to businesses (see White House Threatens CISPA Veto, Again).
But the White House knows that to make these latest cybersecurity proposals stick, it must see an information-sharing bill that it approves of make its way through Congress. "This is an urgent matter and we are working with anyone that we can up on the Hill to make that happen," Daniel said (see Cybersecurity Coordinator: Don't 'Waste a Crisis').
The agenda for the cybersecurity summit includes discussions devoted not just to public-private collaboration on cybersecurity, but also promoting information sharing, international law enforcement cooperation, more cybersecurity research, and the use of better authentication technologies to help replace passwords. In a lead-by-example move, the White House also plans to highlight its attempt to speed U.S. EMV adoption via the government's "Buy Secure" initiative, which includes issuing chip-and-PIN cards to all federal employees and benefits programs.
On Feb. 13, the FBI and U.S. Secret Service are also set to hold regional "open houses," co-hosted by local business executives, in 18 cities, at which the White House cybersecurity summit proceedings will be streamed live.
Cyber Integration Center
Following on the seemingly nonstop mega-breaches that continue to hit U.S. businesses - to say nothing of the Sony Pictures Entertainment hack attack - many security and privacy advocates argue that the White House should be pressuring the private sector into improving its information-security defenses. But the administration has little ability to force the privacy sector to take cybersecurity more seriously, owing to Congress failing to see a single piece of cybersecurity legislation - related to the public sector - pass into law.
Instead, the White House has been emphasizing information sharing, to give businesses access to attack-related information - such as malware signatures and "indicators of compromise."
On that front, White House security adviser Lisa Monaco on Feb. 10 announced the launch of a new Cyber Threat Intelligence Integration Center, which is to be modeled on the U.S. National Counterterrorism Center, report to the Director of National Intelligence. The center - which reportedly has an initial budget of $35 million - is designed to bring together intelligence cyber-intelligence gathered by U.S. law enforcement, security and intelligence agencies.
"We're going to have to work in lockstep with the private sector," Monaco said in a speech at the Wilson Center, a Washington think tank, adding that the hack of Sony Pictures Entertainment was a "game changer" for U.S. businesses. "We want this flow of information to go both ways," Monaco said.
Harry Raduege, a former top Defense Department IT executive, tells Information Security Media Group that the private sector likely wouldn't work directly with CTIIC (pronounced "see-tick"), but likely benefit indirectly from it (see Raduege: Why New Cyber Agency Matters).
But it's not yet clear if U.S. technology giants - and businesses - will buy in to the Obama administration's broad post-Snowden cybersecurity agenda and ISAOs, or whether having access to government-collected threat intelligence will help prevent the hack attacks to which so many private-sector firms continue to fall victim.