As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.
What does the Order actually do?
The Order “promotes…encourages…and…allows” but does not require anything. Specifically, it creates a voluntary framework for the formation of Information Sharing and Analysis Organizations (“ISAOs”). Per the Order, the Department of Homeland Security (“DHS”) will “engage in continuous, collaborative, and inclusive coordination” with ISAOS to share information about cybersecurity threats. Through the National Cybersecurity and Communications Integration Center, DHS also will enter into voluntary information sharing agreements with ISAOs. ISAOs will have a common set of standards for participants to be created by the ISAO Standards Organization, a nongovernmental organization to be designated by the DHS.
ISACs and ISAOs
The Order contemplates the possibility of Information Sharing and Analysis Centers (ISACs) becoming the ISAOs that will “serve as focal points for cybersecurity information sharing and collaboration.” ISACs play an information sharing role within particular industry sectors; ISACs currently exist for the aviation, electricity, financial services, healthcare and other industries.
ISAOs could become an important tool for companies and nongovernmental organizations to share information across sectors. The Order allows for sector-specific ISAOs, but also permits organization on the basis of “region, or any other affinity, including in response to particular emerging threats or vulnerabilities,” whether “as for-profit or nonprofit entities.”
Whether ISACs evolve into ISAOs or ISAOs are formed separately, they represent a different approach to the basic problem of threat information becoming siloed. Participation in ISAOs will be voluntary, and individual firms will want to consider whether participation will assist in efforts to fend off Advanced Persistent Threats (“APT”). Several speakers at the Summit suggested this model could present an especially valuable opportunity for smaller firms, which tend to have less access to threat data.
Will Firms Participate in ISAOs?
The success of information sharing as a cybersecurity tool will hinge on the breadth and depth of industry participation. (In this regard, the choice of Stanford University to host the Summit, rather than Washington, D.C., was no accident.) Even at this early date, there is some reason to be skeptical. Ahead of the Summit, several news outlets noted the growing tensions between Silicon Valley and the White House over data collection efforts by intelligence agencies and law enforcement. But the more fundamental issue is likely to be continued uncertainty over legal liability arising from turning over consumer data to the government. However, these issues can be overcome, as the experience of one of the first and leading data-sharing organizations, the Advanced Cyber Security Center, has shown.
The Obama Administration has insisted that “targeted liability protections” are “pivotal to incentivizing and expanding information sharing,” but such protections are not found in the Order; they will require Congressional action. President Obama recently proposed such legislation as part of a broader set of cybersecurity initiatives. Speaker Boehner’s office criticized the Order as a “unilateral, top-down solution,” but suggested that House Republicans could work with the President on “common-sense measures.” In the current political environment, legislative collaboration on even “common-sense measures” may strike some potential ISAO participants as too distant a prospect.
Standards to Watch
Many firms will want to participate in the development of the voluntary standards for ISAOs. The Order instructs DHS to designate an ISAO Standards Organization that will “identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs.” The Standards Organization will be required to “engage in an open public review and comment process for the development of the standards,” including soliciting the viewpoints of a wide variety of stakeholders. Though these standards would be voluntary, they could evolve into de facto requirements for participation in ISAOs.