The federal government continues to steadily ratchet up its focus on cybersecurity. On February 13, 2015, President Obama signed an Executive Order to improve real-time sharing of cyber-threat information between government, private companies and non-profit organizations. The President signed the Order at the conclusion of a cybersecurity summit held at Stanford University, where he noted the challenges that cyber-threats pose to both our national and economic security, and the need for a “shared mission” between industry and government to thwart those threats moving forward.
The Order includes elements to improve rapid collaboration, both within the private sector and between the private sector and the government, to meet quickly evolving threats posed by hackers. The White House characterized the Order as providing a “framework,” to:
- Support the development of “Information Sharing and Analysis Organizations,” (ISAOs), that will serve as focal points for cybersecurity information sharing and collaboration both within the private sector and between the private sector and government;
- Develop a common set of voluntary standards for those ISAOs;
- Clarify the Department of Homeland Security’s authority to work with ISAOs;
- Streamline the process to permit private companies to access classified cyber-threat information;
- Ensure that information sharing will include strong protections for privacy and civil liberties; and
- Pave the way for future legislation to provide targeted liability protections, which the Administration has asserted are pivotal to incentivizing and expanding information sharing.
At its core, ISAOs will act as hubs where companies share cyber threat data with each other and with the Department of Homeland Security. These ISAOs may be organized by industry, sub-industry, or even by region.
As with any proposed program that calls on private companies to share proprietary and sensitive data with the government, many questions remain as to the potential risks and benefits to companies. These include how cyber-threat data would be shared, what it is that companies are supposed to do with the information they receive (must they act on it immediately? can they share it with customers or partners who are not part of the ISAO?), what standards would be enacted, and what form of liability protection, if any, would be extended to companies that participate in the ISAOs. Similarly, how will the government protect sensitive corporate information that it receives via an ISAO, and will data shared via an ISAO be shielded from discovery if an ensuing data breach results in litigation? The answers to these, and related questions, may ultimately determine whether President Obama’s Executive Order will result in an improved cyber security environment.
Nonetheless, at this early stage, the Health Information Trust Alliance (HITRUST) issued a statement supporting the new Executive Order.
This is the latest effort to encourage private sector companies to share cyber-threat information. For example, in April 2014, the Department of Justice and the Federal Trade Commission took the unusual step of issuing a joint policy statement in which they noted that “properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources.” Other agencies, including the Securities and Exchange Commission and the Financial Industry Regulatory Authority (FINRA), have also prodded busisnesses they regulate to share cyber-threat information.
The new Executive Order was issued almost exactly one year after the Framework for Improving Critical Infrastructure Cybersecurity was released by the National Institute of Standards and Technology on February 12, 2014, in response to another, earlier Executive Order 13636 issued by the President on February 12, 2013.
On a related note, on February 10, 2015 the government announced the creation of yet another agency, the Cyber Threat Intelligence Integration Center (CTIIC), under the auspices of the Director of National Intelligence. Modeled after the National Counter-Terrorism Center, the mission of the CTIIC will be to gather and integrate information from various intelligence-gathering services, and distribute to other government agencies tasked with responding the cyber-attacks.
What’s the Take-Away?
The unprecedented volume of cyber security-driven Executive Orders, legislation, regulations, guidelines, frameworks, assessments and policy statements recently issued by the federal government underscores the growing threat posed by malicious cyber attacks and even inadvertent data breaches. To better protect their own sensitive data, as well as protected information of their employees, customers/patients, companies should consider assessing their cyber security status both in terms of preventative measures and breach response and remediation plans. Thoughtful planning, testing, and evaluations before a crisis occurs is simply good business, and a smart investment in the evolving cyber threat and regulatory environment.