White House Cybersecurity Information Sharing Proposal Focuses on Expanding Sharing Structure
President Barack Obama’s proposal for improving cybersecurity information sharing will center on a plan to work with the private sector to expand the nation's information sharing apparatus, two industry officials who attended White House briefings on the proposals told us Monday. Obama is to discuss cybersecurity information sharing during a speech Tuesday at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Obama’s visit to the NCCIC Tuesday is part of a series of policy-related events this week aimed at broadband- and cybersecurity-related issues that observers see as a preview of themes to be included in Obama’s Jan. 20 State of the Union speech. Obama announced an expansion of his October executive order on chip and PIN technology and new steps in his BuySecure Initiative, during a speech Monday at the FTC (see 1501120043">1501120043). Obama is to release a policy proposal Wednesday to improve affordable broadband access, while Vice President Joe Biden is expected to announce new funding Thursday to improve cybersecurity job training. The White House has timed other cybersecurity-related policy announcements to Obama’s State of the Union speeches, including the release of Obama’s February 2013 cybersecurity executive order to that year’s address (see report in the Feb. 14, 2013, issue).
Obama is expected to issue an executive order or executive action within the next month directing DHS to issue a request for proposals (RFP) to seek out public-private collaboration to create best practices for information sharing, said an industry executive who attended a White House briefing. Legislation reflective of the White House proposal also appears likely, though it’s unclear how it would be timed in relation to White House action, the executive said.
The White House wants to “expand the notion of what is an information sharing entity” beyond the current sector-specific information sharing and analysis centers (ISACs), said Internet Security Alliance President Larry Clinton, another industry representative who attended a White House briefing on the proposal. The White House doesn’t plan to replace the ISACs, “which they view as productive, but to expand the reach of information sharing, particularly at a regional level,” Clinton said. Public-private collaboration stemming from the RFP could develop similar to the model the National Institute of Standards and Technology used for its Cybersecurity Framework development process, Clinton said.
It’s “unknown at this stage” how the White House’s information sharing proposal would affect sector-specific efforts to adapt the NIST Cybersecurity Framework, Clinton said. The FCC Communications Security, Reliability and Interoperability Council Working Group 4 is working on recommendations for communications sector use of the framework, with a final report from the group set for submission at CSRIC’s March 18 meeting. “That would be the sort of thing that [the White House] would envision being worked out through the upcoming public-private process stimulated by the RFP,” Clinton said. "I think they are very interested in the private sector taking the lead on that, so the work that CSRIC’s done could be a model for this.”
The White House’s proposal wouldn’t affect work at independent agencies, an industry executive said. ISA hopes the process will lead to development of a cross-sector information sharing model, which would be beneficial because “large telephone companies have more in common on cybersecurity with large banks than they do with small telephone companies,” Clinton said. “We need to find a way to simplify the process for the smaller players. That’s one of the things we’ll be advocating for.”
The White House is also expected to propose clarifications to the NCCIC’s role, but it’s unclear what that would entail at this point, Clinton said. Obama signed multiple pieces of DHS-centric cybersecurity legislation that Congress passed in December, including the National Cybersecurity Protection Act, which codified the NCCIC’s role (see 1412100052). The White House didn’t suggest during its meeting with Clinton that it would be proposing a legislative alternative to the Cyber Intelligence Sharing and Protection Act (CISPA), which Rep. Dutch Ruppersberger, D-Md., reintroduced Friday (see 1501090035), Clinton said. The White House, which has opposed previous incarnations of CISPA, didn’t comment on whether it would oppose the reintroduced version of the bill but noted that Obama would meet with congressional leaders Tuesday to discuss areas of common ground on cybersecurity policy.
Senate Commerce Committee Chairman John Thune, R-S.D., criticized Obama’s return “back to the discussion” on cybersecurity. He said in a statement that “this level of personal engagement on legislation by the President certainly would have helped advance” the Cybersecurity Information Sharing Act (CISA), the Senate’s 2014 CISPA equivalent, which never made it to a full floor vote. Obama’s “engaged support for similar legislation this Congress would help address cyber threats, improve privacy protections, and would also begin to address concerns over the President’s go-it-alone approach of unilateral executive actions on cyber and other issues,” Thune said.