President Obama's February 13 Executive Order, "Promoting Private Sector Cybersecurity Information Sharing" (the "EO"), turns out to be light on new measures to improve cybersecurity, but focused heavily on adjustments to prior Executive Orders implementing the rules for handling classified information. This focus introduces concerns about government agencies picking winners and losers in the cybersecurity business by giving some access to data while keeping others out of the room when information about pending cyber threats and technical responses is being discussed. Privacy concerns received only a passing mention in the EO, which irritated civil liberties groups. Liability limitations for private companies sharing cyber security data received no attention at all, which irritated data industry players.
What's New (or not so new)? Information Sharing and Analysis Organizations
The EO acknowledges that organizations, including private sector participants, are "invaluable" in the collective cybersecurity of the United States. It then assigns to the Secretary of Homeland Security the duty to "strongly encourage" the formation of Information Sharing and Analysis Organizations (ISAOs). The distinction between these new ISAOs and the Sector Coordinating Councils (SCCs) that Homeland Security was called upon to involve in cybersecurity coordination by EO 13636, issued two years ago, is not entirely clear. DHS has never been short of councils to coordinate its activities. At last count there were at least seven existing councils through which DHS is to coordinate its critical infrastructure activities, including the SCCs, Government Coordinating Councils, Critical Infrastructure and Key Resources Cross-Sector Council, Regional Consortium Coordinating Council, Federal Senior Leadership Council, the State, Local, Tribal and Territorial Government Coordinating Council, and the Critical Infrastructure Partnership Advisory Council. No harm in adding another council (or more correctly, another family of councils) to the mix. Industry response to the earlier council offerings has been tepid Apparently, this time, the President is telling the DHS that he really means it.
In order to enhance the attractiveness of the ISAOs to industry, the EO envisions information sharing from government to industry as well as private data going to the government. Sharing government cyber threat data with industry has the potential to compromise sources and technical capabilities of government agencies, however, so the EO also includes numerous technical changes to earlier executive orders establishing procedures for the handling of classified information. Under the new EO, "the [National Industrial Security Program] Manual, which prescribes the rules for obtaining and maintaining access to classified information by industry, shall also prescribe arrangements necessary to permit and enable secure sharing of classified information under a designated critical infrastructure protection program to such authorized individuals and organizations as determined by the Secretary of Homeland Security."
In short, some industry participants will be granted access to classified government cyber threat data, while others, unable for any number of reasons to qualify for clearances, will be denied access.
While it obviously not been completely thought through, this approach does raise inevitable questions: does my bank have a security clearance, does my health insurance carrier, my grocery store? If they don't qualify for a clearance, is my data safe with them? If my data network or data storage provider doesn't have a clearance, should I move to a provider that does? If my data security vendor doesn't have a clearance, does that mean that they are not to be trusted with my data, or does it mean merely that they have fallen out of favor with a defense department security clearance vetting contractor who also may be a competitor? It's one thing for government agencies to pick winners and losers among their own vendors. It is quite another to have the uncertain standards of the granting of security clearances underlying who succeeds and fails in the commercial marketplace.
In contrast to the detailed attention given to protection of government secrets, the direction to federal agencies with respect to privacy is ambivalent: "Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency's activities." The definition of "appropriate protections" in this context is anyone's guess. The absence of any more detailed guidance on the extent that sharing of customer data in ISAOs should be circumscribed is raising objections from civil liberties groups.
Last, but perhaps politically most significant, is the absence of any language that even purports to provide protections from legal liability to industry participants in data sharing arrangements that violate their representations to customers or would otherwise violate fair trade standards. SCCs in many industries, including such sensitive industries as health care, have shared successfully cybersecurity information for more than a decade without cover from lawsuits, but the absence of such liability protections is now presented as an essential precondition to data sharing in some industries. It remains to be seen whether enough industry participants will calculate the advantages of cyber threat data sharing as valuable enough to continue to do so without additional legal cover.