After years of stressing the need for better cyberthreat intelligence sharing between the private sector and government, President Obama is expected to issue an executive order on Friday directing the two sides to collaborate more closely on the issue.
The action should spell out the ground rules for threat information sharing between businesses and government agencies, and will offer a measure of liability protection for companies that engage in it.
It comes after multiple failed attempts by the Obama administration to pass cybersecurity legislation with similar goals. In fact, it arrives exactly one year after a directive from Obama that laid out a similar goal but appears not to have gained much traction.
White House Cybersecurity Coordinator Michael Daniel announced the president’s plan at a Thursday press briefing. Mr. Daniel said the action will further the nation’s cyberecurity goals and enable the Department of Homeland Security to do a better job of managing the information flow from the private sector.
The president plans to make the announcement at a White House Summit on Cybersecurity and Consumer Protection at Stanford University where he will meet with some 1,000 corporate executives to discuss ways to improve the nation’s defenses against cyberthreats.
The summit and the executive action are part of an ongoing effort by the administration to respond to the growing concerns spawned by recent attacks on companies such as Sony Pictures, Anthem, JPMorgan Chase, Target, and Home Depot. These attacks have compromised personally identifiable information and payment card data for tens of millions of consumers.
In his keynote address at the summit and in meetings with technology leaders at the event, Obama and his team are expected to hammer home the need for private sector companies to engage more actively with each other and the government to address the vulnerabilities that have resulted in such breaches.
Earlier this week, the White House announced a new Cyber Threat Intelligence Integration Center (CTIIC) that has already been tasked with producing coordinated cyberthreat assessments based on information gathered from private companies and existing cyber centers.
The increased attention on information sharing by the White House could begin to nudge more companies to participate in it. The idea is that by mutually sharing information on certain threat indicators – such as malware code, registry keys, file paths, and malicious IP addresses – organizations can bolster their ability to detect and defend against cyberthreats.
Sector specific information sharing and analysis centers, such as those maintained by the financial services sector and defense industrial base companies, have been doing this sort of collaboration effectively for years.
But many companies, especially publicly traded ones, have been reluctant to release sensitive information because of potential liability concerns involved with such information sharing. The concern is that private and protected information could be inadvertently included in the threat information shared by companies with the government.
Privacy rights advocacy groups have stridently opposed information sharing with the government over such concerns. Issues with the actual mechanisms that are needed to exchange threat information between companies have also been an inhibitor.
For Obama’s initiative to succeed, the executive order – or any legislation that comes in its wake – will need to address such concerns.
“The executive order is going to go a long way in generating more discussions on how we can share information between the public and private sector,” said Phil Smith, senior vice president of government solutions at security company Trustwave. “But I do think there has to be some sort of legislative action to give those lawyers in private companies some measure of protection against lawsuits,” stemming from information sharing, he said.
The role that the new White House threat intelligence center will play in analyzing and disseminating threat information is also key, said Christopher Pierson, general counsel an chief security officer at Viewpost, a payment platform and supplier of an online invoicing platform.
“Overall, the key to information sharing is quality of data, actionable data, and speed at which it is delivered to others,” said Mr. Pierson. “How does information flow, to whom, what is the analysis, and who is responsible."
Adding a new office to handle threat intelligence could also add complexity and confusion to the process, he said.
“Right now, we have several government, private sector, and even corporate-sponsored sharing centers,” in addition to several state and federally funded efforts, said Pierson. “So one more agency might be better if it ties the data, provides bi-directional information sharing, and speed across all sectors. But it may also be another layer."