Cyber Executive Order Continues the Push for Public-Private Partnerships
In conjunction with his remarks at the White House Summit on Cybersecurity at Stanford University last week, President Obama signed Executive Order 13691, entitled "Promoting Private Sector Cybersecurity Information Sharing." Published in the Federal Register today, the Order is intended to encourage and facilitate cybersecurity information sharing, both within the private sector and between government and the private sector. One of the many issues President Obama raised at the Summit is that, because a large majority of the nation's critical infrastructure is privately owned, cybersecurity is necessarily a shared public-private mission. Another is that cybersecurity must balance the exigency of security against the privacy and civil liberties of the American people.
Not a law or regulation, the President cautioned that the Executive Order falls short of the broad action the Administration believes is needed to better protect the nation's economic and national security from burgeoning cyber threats. That, the White House asserted, can only come from legislative action.
In conjunction with the Order, the White House announced the formation of the Cyber Threat Intelligence Integration Center (CTIIC), a new intelligence unit intended to assess cyber threat information and then disseminate that intelligence across the federal government. At the Summit, the President explained that "just like we do with terrorist threats, we're going to have a single entity that's analyzing and integrating and quickly sharing intelligence about cyber threats across government so we can act on all those threats even faster." Under the plan, industry would share cyber threat information with the Department of Homeland Security (DHS), which would share the data with the CTIIC. Further, the CTIIC would share that information with the rest of the federal government.
The Order asks the private sector to invest in developing better cyber defenses, improve industry collaboration on cyber issues, and reach out to the federal government for assistance on cyber matters. It also requires the DHS Secretary to "strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs)," in which real-time cyber information can be parlayed among those participating and with the government. The Order is somewhat of a two-way street: It also empowers DHS to approve sharing classified intelligence, an authority it has not previously held.
In addition, the Order requires the DHS Secretary to enter into an agreement with a nongovernmental standards organization to identify a common set of voluntary standards for the creation and functioning of ISAOs, governing how information is shared, with whom, and what steps are taken to protect privacy and security. According to the President, the goal of the standards will be to create "robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information." The Order attempts to mitigate industry's privacy concerns by directing any federal agency collaborating with ISAOs to coordinate those efforts with their respective privacy and civil liberties officers, and to ensure that all protections in place are based on the Fair Information Practice Principles (FIPPs). Before being finalized, the standards will also become the subject of public review and comment.
The Order envisions that ISAOs will be flexible entities formed based on a variety of commonalities, such as geographic region or engagement in response to a specific threat. They are essentially an expansion of the current Information Sharing & Analysis Centers (ISACs) that industries across the nation's critical infrastructure have already created in order to share cyber threat information. The White House expects these types of information sharing bodies to eventually work in coordination with each other.
Representatives from several private sector entities attended the Stanford Summit and pledged support for the Administration's cybersecurity efforts. That support will no doubt prove imperative to the success of the voluntary ISAOs, as concerns stemming from the Snowden leaks remain.
In coordination with the release of the Executive Order, the White House issued a statement that called on Congress to pass the Administration's proposed cybersecurity legislation. The proposal would not only provide targeted liability protection to those private companies participating in public-private partnerships like ISAOs, but would also modernize the controversial Computer Fraud and Abuse Act and create a national standard for data breach reporting, which is currently governed by a morass of varying state laws. Crowell & Moring will continue to monitor both the Congressional and private sector reaction to this month's cyber developments.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.