Export Compliance Daily is a Warren News publication.
Dependent on Legislation

Obama Signs Cybersecurity Information Sharing Executive Order

President Barack Obama signed a cybersecurity executive order Friday to encourage cyberthreat information sharing between the private sector and the government and to effectively concentrate that sharing at the Department of Homeland Security. “There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners,” he said. The order represents an important step on improving cybersecurity, but isn't as far-reaching as a 2013 executive order that resulted in the production of the National Institute of Standards and Technology’s Cybersecurity Framework, industry executives and lawyers told us.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The White House disclosed the broad outlines of the order in mid-January. Executives who attended White House briefings then said Obama would pair a legislative proposal for improving cyber information sharing with either an executive order or executive action (see 1501120045). The White House hadn’t committed to an executive order until recently, amid deliberations over how extensively it would act before Congress advanced legislation, an industry lobbyist said. The new order is a “complement” to the 2013 order, which “fundamentally altered the administration’s position on cybersecurity away from the regulatory model they’d previously embraced,” Internet Security Alliance President Larry Clinton said.

The executive order expands the existing information sharing apparatus by encouraging the development of new information sharing and analysis organizations (ISAOs) to complement existing information sharing and analysis centers (ISACs), including funding a nonprofit to develop voluntary ISAO standards, the White House said. ISAOs can include nonprofits, membership organizations or companies that facilitate information sharing with their customers, the White House said. The DHS-operated National Coordinating Center for Communications is the communications sector’s current ISAC. ISAOs will abide by voluntary privacy and civil liberties protection standards and will require federal agencies that collaborate with ISAOs to coordinate their activities with federal privacy and civil liberties officials. The order clarifies DHS’s authority to allow the National Cybersecurity and Communications Integration Center (NCCIC) to sign information sharing agreements with information sharing organizations.

The order authorizes DHS to approve classified information sharing arrangements, which will streamline the private sector’s ability to access classified cyberthreat information, the White House said. Authorizing DHS to approve classified information sharing arrangements is “very important” for the private sector, because “the best information from the government has typically been classified and has to go through a declassification process,” said former FCC Public Safety Bureau Chief Jamie Barnett, a telecom and cybersecurity lawyer at Venable. “Being able to get that information declassified and out to companies while it is still meaningful is the real question for all of this.” The timeline for declassification and the number of approvals the information will need to go through “will be the challenge” that DHS will need to solve, Barnett said.

Obama urged Congress “not to engage in politics” and to act on the cyber legislative proposals the White House announced in January (see 1501130059). The plans included legislation that would codify provisions of the new executive order and institute liability protections for companies that share information with DHS, along with a national data breach notification bill. Obama also urged Congress to fund DHS for the rest of FY 2015. The department is funded through Feb. 27, but the bill to extend funding (HR-240) is in limbo (see 1502130015). DHS Secretary Jeh Johnson also encouraged Congress to act on DHS funding.

The order's success is also highly dependent on Congress passing an information sharing bill that contains effective liability protections, Clinton said. A strong information sharing partnership between the federal government and private sector, “where industry is going to be called upon to do things that are in the national interest,” will require “that they not be penalized for being good citizens,” Clinton said. “That assurance is perfectly reasonable and needs to be much clearer.” Congress’ Homeland Security and Intelligence committees are considering possible information-sharing legislation, including the latest iteration of the Cyber Intelligence Sharing and Protection Act (HR-234) and the Cyber Threat Sharing Act (S-456), which Senate Homeland Security ranking member Tom Carper, D-Del., bowed Wednesday (see 1502120069).

The House Homeland Security Committee announced a Feb. 25 hearing on Obama’s plan. The committee said it has invited Suzanne Spaulding, DHS under secretary-National Protection and Programs Directorate, and Phyllis Schneck, deputy under secretary-cybersecurity and communications. The committee “is now taking the next steps and working on new legislation, which will include liability protections for cyber threat information sharing,” Chairman Mike McCaul, R-Texas, said in a statement. “While I am glad that the president finally came to the table on this issue and delivered a proposal to Congress last month, many questions remain.” The hearing is set to begin at 10 a.m. in 311 Cannon.

The order is well intentioned, but the government should be “building out and providing sustained visible support for existing ISACs and other regional or non-profit organizations” instead of creating “further confusion” by creating ISAOs, said Bob Dix, Juniper Networks vice president-government affairs and critical infrastructure protection. The NCCIC-centric information sharing structure isn’t sufficiently collaborative and won’t “achieve the desired outcome of improving our national" cybersecurity, Dix said. The White House’s establishment Tuesday of the Cyber Threat and Intelligence Integration Center within the office of the Director of National Intelligence (see 1502110063) to facilitate information sharing between U.S. intelligence agencies and civilian agencies shows that NCCIC isn’t “fulfilling its mission of facilitating productive bi-directional information sharing, analysis, and collaboration between industry and government,” Dix said.