Modern field guide to security and privacy

Obama to issue executive order promoting cyberthreat information sharing

At a White House summit on cybersecurity at Stanford University on Friday, Obama is expected to spell out details for how private companies and the government can share details on digital threats and vulnerabilities.

Evan Vucci/AP
President Obama pressed Congress to pass cybersecurity legislation in a January speech at the National Cybersecurity and Communications Integration Center in Arlington, Va.

After years of stressing the need for better cyberthreat intelligence sharing between the private sector and government, President Obama is expected to issue an executive order on Friday directing the two sides to collaborate more closely on the issue.

The action should spell out the ground rules for threat information sharing between businesses and government agencies, and will offer a measure of liability protection for companies that engage in it.

It comes after multiple failed attempts by the Obama administration to pass cybersecurity legislation with similar goals. In fact, it arrives exactly one year after a directive from Obama that laid out a similar goal but appears not to have gained much traction.

White House Cybersecurity Coordinator Michael Daniel announced the president’s plan at a Thursday press briefing. Mr. Daniel said the action will further the nation’s cyberecurity goals and enable the Department of Homeland Security to do a better job of managing the information flow from the private sector.

The president plans to make the announcement at a White House Summit on Cybersecurity and Consumer Protection at Stanford University where he will meet with some 1,000 corporate executives to discuss ways to improve the nation’s defenses against cyberthreats.

The summit and the executive action are part of an ongoing effort by the administration to respond to the growing concerns spawned by recent attacks on companies such as Sony Pictures, Anthem, JPMorgan Chase, Target, and Home Depot. These attacks have compromised personally identifiable information and payment card data for tens of millions of consumers.

In his keynote address at the summit and in meetings with technology leaders at the event, Obama and his team are expected to hammer home the need for private sector companies to engage more actively with each other and the government to address the vulnerabilities that have resulted in such breaches.

Earlier this week, the White House announced a new Cyber Threat Intelligence Integration Center (CTIIC) that has already been tasked with producing coordinated cyberthreat assessments based on information gathered from private companies and existing cyber centers.

The increased attention on information sharing by the White House could begin to nudge more companies to participate in it. The idea is that by mutually sharing information on certain threat indicators – such as malware code, registry keys, file paths, and malicious IP addresses – organizations can bolster their ability to detect and defend against cyberthreats.

Sector specific information sharing and analysis centers, such as those maintained by the financial services sector and defense industrial base companies, have been doing this sort of collaboration effectively for years.

But many companies, especially publicly traded ones, have been reluctant to release sensitive information because of potential liability concerns involved with such information sharing. The concern is that private and protected information could be inadvertently included in the threat information shared by companies with the government.

Privacy rights advocacy groups have stridently opposed information sharing with the government over such concerns. Issues with the actual mechanisms that are needed to exchange threat information between companies have also been an inhibitor.

For Obama’s initiative to succeed, the executive order – or any legislation that comes in its wake – will need to address such concerns.

“The executive order is going to go a long way in generating more discussions on how we can share information between the public and private sector,” said Phil Smith, senior vice president of government solutions at security company Trustwave. “But I do think there has to be some sort of legislative action to give those lawyers in private companies some measure of protection against lawsuits,” stemming from information sharing, he said.

The role that the new White House threat intelligence center will play in analyzing and disseminating threat information is also key, said Christopher Pierson, general counsel an chief security officer at Viewpost, a payment platform and supplier of an online invoicing platform.

“Overall, the key to information sharing is quality of data, actionable data, and speed at which it is delivered to others,” said Mr. Pierson. “How does information flow, to whom, what is the analysis, and who is responsible."

Adding a new office to handle threat intelligence could also add complexity and confusion to the process, he said.

“Right now, we have several government, private sector, and even corporate-sponsored sharing centers,” in addition to several state and federally funded efforts, said Pierson. “So one more agency might be better if it ties the data, provides bi-directional information sharing, and speed across all sectors. But it may also be another layer."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.