Today, President Obama will sign an Executive Order to encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.
Rapid information sharing is an essential element of effective cybersecurity, because it enables U.S. companies to work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats.
Encouraging Private-Sector Cybersecurity Collaboration
Encourage the development of Information Sharing Organizations: This Executive Order encourages the development of information sharing and analysis organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. Information Sharing and Analysis Centers (ISACs) are already essential drivers of effective cybersecurity collaboration, and could constitute ISAOs under this new framework. In encouraging the creation of ISAOs, the Executive Order expands information sharing by encouraging the formation of communities that share information across a region or in response to a specific emerging cyber threat. An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.
Develop a common set of voluntary standards for information sharing organizations: The Executive Order also directs the Department of Homeland Security to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs. Developing this baseline will enable ISAOs to quickly demonstrate their policies and security protocols to potential partners. This will make collaboration safer, faster, and easier, and ensure greater coordination within the private sector to respond to cyber threats.
Enabling Better Private-Public Information Sharing
Clarify the Department of Homeland Security’s authority to enter into agreements with information sharing organizations: The Executive Order also increases collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. This will ensure that robust, voluntary information sharing continues and expands between the public and private sectors. The administration intends this expanded sharing to complement existing effective relationships between government and the private sector.
Streamline private sector companies’ ability to access classified cybersecurity threat information: Classified threat information can often provide valuable context to network defenders and enhance their ability to protect their systems. The Executive Order adds the Department of Homeland Security to the list of Federal agencies that approve classified information sharing arrangements and takes steps to ensure that information sharing entities can appropriately access classified cybersecurity threat information.
Providing Strong Privacy and Civil Liberties Protections
The Executive Order ensures that information sharing enabled by this new framework will include strong protections for privacy and civil liberties. Private sector ISAOs will agree to abide by a common set of voluntary standards, which will include privacy protections, such as minimization, for ISAO operation and ISAO member participation. In addition, agencies collaborating with ISAOs under this order will coordinate their activities with their senior agency officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are in place and are based upon the Fair Information Practice Principles.
Paving the Way for Future Legislation
The Executive Order also complements the Administration’s January 2015 legislative proposal, and paves the way for new legislation, by building out the concept of ISAOs as a framework for the targeted liability protections that the Administration has long asserted are pivotal to incentivizing and expanding information sharing. The Administration intends this proposal to complement and not to limit existing effective relationships between government and the private sector.