President Barack Obama issued an executive order designed to promote the voluntary sharing of cybersecurity data and threat information among private companies and between the private sector and the government.
“Such information sharing must be conducted in a manner that protects the privacy and civil liberties of individuals, that preserves business confidentiality, that safeguards the information being shared, and that protects the ability of the Government to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States,” stated Pres. Obama in the order.
As part of the executive order, the Department of Homeland Security will create a nonprofit organization to develop standards for information sharing and analysis organizations (ISAOs), to facilitate collaboration.
Obama has already unveiled a legislative package aimed at better equipping the government and industry with the right tools to fight back against cyber crime.
The executive order followed remarks given by the President at a cybersecurity summit held at Stanford University. During the event, he noted, “And it’s one of the great paradoxes of our time that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm. The same information technologies that help make our military the most advanced in the world are targeted by hackers from China and Russia who go after our defense contractors and systems that are built for our troops. The same social media we use in government to advocate for democracy and human rights around the world can also be used by terrorists to spread hateful ideologies. So these cyber threats are a challenge to our national security.”
Obama went on to say, “Much of our critical infrastructure — our financial systems, our power grid, health systems — run on networks connected to the Internet, which is hugely empowering but also dangerous, and creates new points of vulnerability that we didn’t have before. Foreign governments and criminals are probing these systems every single day. We only have to think of real-life examples — an air traffic control system going down and disrupting flights, or blackouts that plunge cities into darkness — to imagine what a set of systematic cyber attacks might do. So this is also a matter of public safety.”
Several information sharing vectors already exist, with several industries, including the retail and financial sectors, participating via Information Sharing and Analysis Centers (ISAC). The National Council of ISACs encourages private industry participation, but significantly, private companies are leery of sharing threats that they have personally encountered for fear of litigation.
Obama concluded, “The cyber world is sort of the wild, wild West. And to some degree, we’re asked to be the sheriff. When something like Sony happens, people want to know what can government do about this. If information is being shared by terrorists in the cyber world and an attack happens, people want to know are there ways of stopping that from happening. By necessity, that means government has its own significant capabilities in the cyber world. But then people, rightly, ask, well, what safeguards do we have against government intruding on our own privacy? And it’s hard, and it constantly evolves because the technology so often outstrips whatever rules and structures and standards have been put in place, which means that government has to be constantly self-critical and we have to be able to have an open debate about it.”
However, will Obama’s order effect any change in organizations’ willingness to share data without some liability immunity? There is cause to be concerned.
“A major issue with President Obama’s executive order, and the entire concept of information sharing more broadly, so far, is that private sector organizations are legitimately concerned that voluntarily sharing information will expose them to potentially significant sources of liability. An organization must consider that disclosing an attack that may have harmed the company could potentially lead to a host of adverse consequences, be they in the form of class action litigation, shareholder litigation, regulatory action or reputational harm. Simply providing certain types of information to third parties can and often does expose an organization to significant sources of liability,” Roberta D. Anderson, attorney with K&L Gates, told Advisen. “An organization also must consider what responsibility the organization itself has with respect to information received from third parties. So, at this point, in order to foster information sharing that is significantly greater than what is already occurring within the private sector, there needs to be appropriate protections for private sector entities and clear standards and protocols surrounding information sharing that expressly define and limit risk. What immunities and protections will be in place for companies that share information? How will shared information be protected? What do companies need to do with information they receive? What if a company receives information and fails to appreciate it as a threat? These and other questions remain largely unanswered and are likely to hinder significant additional information sharing at this juncture.”
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
