President Obama Issues Executive Order on Information Sharing; Reiterates Needed Attention to Privacy
On February 13, President Obama issued an Executive Order, Promoting Private Sector Cybersecurity Information Sharing (EO), designed to help companies rapidly share information related to cyber threats with the government and each other. This is another step in a line of actions the President has been taking on cybersecurity, shaping the federal government's response in the wake of cyberattacks against the federal government, as well as major companies such as Sony, Home Depot, and Anthem. In February of 2013, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which has been driving cyber policy across the federal government. The recent information-sharing EO was released on the heels of a White House Summit on Cybersecurity and Consumer Protection, which gathered business leaders, experts, and advocates involved in the cybersecurity and consumer protection landscape to discuss and promote best practices and next steps.
The Executive Order Promotes Venues for Information Sharing
The EO focuses on improving information sharing, which industry and others believe is critical to better enable attack prevention and response. To that end, the EO promotes the formation and use of information sharing and analysis organizations (ISAOs) as coordination points for sharing cyber threat information between companies and with the federal government. Many industry sectors already successfully employ information sharing and analysis centers (ISACs) for this purpose. The EO makes clear that ISACs could be considered ISAOs, and encourages additional sectors and types of organizations to employ this model. The EO directs the Department of Homeland Security (DHS) to create a non-profit entity to develop a common set of voluntary standards for the operation of ISAOs, which will be subject to the public review and comment process. These standards shall address, but not be limited to, contractual agreements, business processes, operating procedures, technical means, and privacy protections for ISAO operation and ISAO member participation.
The EO seeks to improve and accelerate information sharing with the private sector through the use of ISAOs in two ways. First, the EO improves the means by which the National Cybersecurity and Communications Integration Center enters into information sharing agreements with ISAOs. Second, the EO will ease the approval process for ISAOs to be able to access classified cybersecurity information from the government.
The President Reiterates the Importance of Privacy Considerations
The EO also emphasizes privacy protections. The EO will require ISAOs to abide by voluntary privacy standards, which will include privacy protocols, such as minimization, for ISAO operation and member participation. In addition, agencies collaborating with ISAOs will work with their senior officials for privacy and civil liberties to ensure that appropriate privacy protections are incorporated into contemplated activities. The EO makes clear that agencies' privacy protections are to be based on the Fair Information Practice Principles, and other frameworks, as they apply.
This EO also reaffirms the role of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent, bipartisan agency within the executive branch. The PCLOB was established by law in 2007 to review executive branch actions, and to ensure that liberty concerns are considered in developing law and policy related to protecting against terrorism.
In the President's 2013 Executive Order 13636, the PCLOB was given a consulting role to help DHS conduct assessments and report on privacy and civil liberties issues raised by their activities under EO 13636. Likewise, the 2015 EO instructs federal agency privacy and civil liberties officials to conduct assessments of their activities, and to provide those assessments to DHS for the reporting contemplated in Section 5 of EO 13636. Last year, PCLOB provided feedback to DHS on the first Privacy and Civil Liberties Assessment Report under EO 13636, identifying several areas for improvement in agencies' reports and in the consultation process. It remains to be seen how DHS and PCLOB will consult on these, and additional matters related to cybersecurity, going forward.
The EO is Part of Ongoing Cyber Activity at the Federal Level
In 2013, the President took action to spur federal cybersecurity activities, when he issued Executive Order 13636. Work implementing that EO has been ongoing, and has resulted in a voluntary, risk-based Cybersecurity Framework for critical infrastructure, developed by the National Institute of Standards and Technology (NIST).
Many federal agencies are taking action on cyber, under the 2103 EO and otherwise. The DHS is implementing programs to encourage industry to work on cybersecurity, as envisioned by the 2013 EO. Other federal agencies, from the Food and Drug Administration to the Federal Communications Commission, are studying the NIST Cybersecurity Framework and considering how the private sector is using it. Myriad federal agencies are actively examining cybersecurity issues in a variety of contexts.
These and other Executive Branch activities occur as Congress continues to refine and consider legislative solutions, including those proposed by the President. The President highlighted cybersecurity issues in his 2015 State of the Union address, and this past January sent several cybersecurity-related bills to Congress. The White House recently announced the creation of a Cyber Threat Intelligence Integration Center to help review and synthesize cyber threat information.
Given the passage of cybersecurity legislation in the House and emerging consensus on some issues in the Senate, observers are optimistic that legislation could pass this year.