On February 13, 2015, President Obama spoke forcefully on cybersecurity threats at the Cybersecurity and Consumer Protection Summit, and signed an Executive Order designed to encourage the sharing of cyber-threat information through the formation of “hubs” – Information Sharing and Analysis Organizations (ISAOs).
The President observed that much of the United States’ critical infrastructure runs on networks connected to the Internet, resulting in vulnerabilities that foreign governments and criminals are probing every day. The President outlined four basic principles that should guide the efforts to combat cyber threats:
- A shared mission between the private sector and the government;
- Focus by private and public sectors on their unique strengths;
- Flexibility in the approach to cybersecurity; and
- Protection for the privacy and civil liberty of the American people.
The President called the protection against cyber-threats a shared mission because neither government nor the private sector can defend against cyber-attacks alone. While the government has many capabilities, it is neither appropriate nor possible for the government to secure the networks of the private sector. On the other hand, the private sector is at the cutting edge of technology, but does not always have the situational awareness, the ability to warn other companies in real time, or the capacity to coordinate a response across companies to a cyber-attack.
The President identified the institutions that form the core of the national cyber-threat sharing effort as the Department of Homeland Security’s National Cybersecurity Communications Integration Center (NCCIC) and the newly announced Cyber Threat Intelligence Center, the latter envisioned as a single entity that analyzes and quickly shares cyber-threat intelligence.
The Executive Order furthers the Administration’s cyber-preparedness goals by requiring the Secretary of Homeland Security to “strongly encourage” the creation of ISAOs. The order also requires the NCCIC to engage in “continuous, collaborative, and inclusive coordination with ISAOs.” ISAOs can be created based on industry sector, geographic region, or “any other affinity.” The Executive Order permits ISAO membership to be drawn from members of the public sector or the private sector. ISAOs may be formed as for-profit or non-profit entities.
The Executive Order states that information sharing must preserve business confidentiality and safeguard the information being shared, as well as protect the federal government’s ability to “detect, investigate, prevent and respond to cyber threats to the public health and safety, national security, and economic security of the United States.” The order does not, however, provide companies with any protection from liability that may arise in connection with the sharing of cyber-threat information.
Finally, the Executive Order calls for the creation of a common set of voluntary standards for the operation of ISAOs. The standards must “further the goal of creating robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adopted of automated mechanisms for the sharing of information.” The order envisions that the standards for ISAO operation and member participation will address, at a minimum:
- Contractual agreements that underpin ISAOs;
- Data sharing and administration business processes;
- Technical aspects of data sharing; and
- Privacy protections, such as minimization.
The lack of liability protections has in the past stifled cyber-threat information sharing, even after the FTC and the DOJ announced that “properly designed” cyber-threat information sharing is not likely to raise antitrust concerns. While this FTC and DOJ position has encouraged confidential sharing of cyber-threat information among businesses, large scale sharing by the private sector with the government is likely to continue to be contingent on robust liability protections. Without liability protections, the private sector might still choose to share cyber-threat information with the government if businesses view the value of such sharing as exceeding the risk that may arise from private suits or government enforcement actions.
At the same time, however, the intensity of current focus on cybersecurity illustrates a bigger point. Namely, cybersecurity continues to be a hot topic for all industries and regulators, including the SEC and the FFIEC, for example. It is not question of if but of when most businesses would be expected by regulators and shareholders to have addressed cyber preparedness. Addressing cybersecurity is a process for any organization. Thus, in light of ongoing cyber threats and regulatory focus on cybersecurity, it is the right time for organizations across industries to assess their cybersecurity efforts, understand their exposure and implement or upgrade their cyber-preparedness plans.