By Caleb Skeath
During the White House’s inaugural Summit on Cybersecurity and Consumer Protection last Friday, President Obama signed an executive order designed to facilitate increased information sharing between the private sector and the federal government. The order follows the introduction of the Cyber Threat Sharing Act of 2015 in the Senate, an information-sharing bill modeled on the legislative proposal released by the White House in January.
In a speech before signing the order, President Obama commended several private entities that committed to incorporating the National Institute of Science and Technology’s (NIST) cybersecurity framework, developed pursuant to an executive order in 2014, into their own information security policies. The President’s speech also highlighted the White House’s push for improved cybersecurity measures for financial transactions, as part of the previously announced Buy Secure initiative, and the adoption of multi-factor authentication methods.
The executive order directs the Department of Homeland Security (DHS) to select a private entity to identify or develop a common set of voluntary best practices for information sharing and analysis organizations (ISAOs). The best practices are a central feature of the White House’s information-sharing proposal, which only provides liability protection for sharing cyber threat information with ISAOs if those ISAOs have publicly adopted these best practices. Once selected by DHS, the private entity must engage in an open public review and comment process during the development of these best practices. The final version must address, at a minimum, “contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization.”
The executive order will also streamline the flow of cyber threat information between DHS, private ISAOs and other private entities. The executive order designates the National Cybersecurity and Communications Integration Center (NCCIC) as a critical infrastructure protection program, granting the NCCIC the authority to enter into voluntary agreements with ISAOs. The executive order also allows the Secretary of Homeland Security to approve arrangements for sharing of classified information under a “designated critical infrastructure protection program.”
The signing of the executive order comes two days after Sen. Tom Carper (D-DE), the ranking member of the Senate Homeland Security and Governmental Affairs Committee, introduced the Cyber Threat Sharing Act of 2015. The bill, which is modeled on the White House’s information-sharing proposal, would provide limited liability protections for sharing cyber threat information with the NCCIC and private ISAOs that self-certify compliance with the ISAO best practices. The bill would also require entities to make reasonable efforts to remove identifying information from cyber threat information prior to sharing it.