On February 13, 2015, President Obama spoke to attendees of the White House Summit on Cybersecurity and Consumer Protection held at Stanford University. Calling the digital world a "sort of Wild Wild West," Obama and many corporate representatives announced developments intended to strengthen cybersecurity. Obama also signed an Executive Order to encourage and promote information sharing between the private sector and the government. In addition, some of the nation's largest corporations announced their implementation of the Cybersecurity Framework developed in 2014 by the National Institute of Standards and Technology, a number of credit and financial institutions committed to increasing security in payment technology, and several companies announced that they will be focusing on multifactor authentication methods. Obama also revisited the legislative proposal sent to Congress last month following the State of the Union address.
Information sharing has been a key concern of this administration, as evidenced by the 2013 Executive Order on Critical Infrastructure ("2013 Executive Order"), which focused on increased sharing between the federal government and critical infrastructure. Following his remarks at Stanford University, Obama signed Executive Order 13587—Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information ("Order"). The Order expands cyber threat and other information sharing to the private sector generally. The Order provides for a voluntary information-sharing framework in three areas: (i) private sector collaboration, (ii) collaboration between the private and the government sectors, and (iii) adherence to privacy and civil liberty protections. To encourage private sector collaboration, the Order encourages the development of information sharing and analysis organizations ("ISAOs") and directs the Department of Homeland Security ("DHS") to fund an organization to develop a set of voluntary operating standards for ISAOs.
The Order also streamlines the procedures for the National Cybersecurity and Communications Integration Center to enter into formal information-sharing agreements with private sector ISAOs. For the first time, the Order adds the DHS to the list of federal agencies that can approve classified cyber threat information sharing arrangements. Finally, the Order calls for the development of privacy standards among the voluntary standards to be developed for ISAOs and requires federal agencies collaborating with ISAOs to coordinate any information-sharing activities with their senior agency officials to address privacy and civil liberties concerns.
The President's 2013 Executive Order directed the development of a Cybersecurity Framework ("Framework") by the National Institute of Standards and Technology. The Framework itself, released in early 2014, has been promoted by the government as an important voluntary tool for guiding an organization's decisions about cybersecurity. Various corporations have announced a commitment to using the Framework and intend to require their vendors to use it as well. It remains to be seen whether the Framework, if widely adopted, could lead some to maintain that it represents a reasonable standard of care. Nevertheless, where the Framework is imposed as a contractual obligation, failure to abide by it may expose some companies to breach of contract risks. Thus, careful consideration must be given to adopting the Framework.
Secure Payment Technologies
The President's BuySecure Initiative, introduced in October 2014 as part of the Executive Order—Improving the Security of Financial Transactions, is intended to increase protection of payment cards by requiring the use of Chip and Pin technologies by federal agencies. It also seeks to promote the adoption of Chip and Pin technologies by the private sector. A summary of this initiative is available in our Jones Day Alert, "California Attorney General Calls for Greater Data Protection, and Recommends Adoption of Chip and Pin Payment Card Technology." During the summit, a number of companies also announced various commitments they have made to advancing payment technology, including tokenization—the substitution of credit card numbers with randomly generated tokens during each transaction, adoption of Apple Pay for federal government transactions, and cybersecurity educational programs for small businesses. The administration also emphasized the number of companies that have committed to making credit scores available for free to customers as part of its efforts to provide resources for identifying identity theft.
Multifactor Authentication Methods
The Summit also included announcements by several technology companies and financial institutions regarding the development of multifactor authentication technologies, such as nonpassword-based authentication, new multifactor authentication based on biometrics, and support for an open standard for authenticating domain names by the end of 2015. Obama noted the government's investment in these new technologies through the National Strategy for Trusted Identities in Cyberspace.
Obama also emphasized the legislative proposals he provided to Congress in January 2015, stating that key cybersecurity legislation is needed to support increased information sharing, allow law enforcement authorities to combat cyber crime, and standardize data breach reporting. In the absence of such legislation, however, the initiatives announced during the summit at Stanford, as well as the information sharing covered by the Order, will be purely voluntary.
Private industry appears to prefer legislation that will clearly address the mechanics, responsibilities, and, most importantly, liability protection for firms that share such information. While cyber threat information sharing is important to combating cybercrime, firms need to carefully consider whether they should agree to the imposition of "privacy protection standards" in the absence of liability protections. Thus, while the advancement of greater information sharing between the private and public sectors may be a move in the right direction, it is not likely to be universally well received by private industry, particularly those companies and industries that remain concerned with the increasing level of government access to their customer information, and those with heightened liability issues such as antitrust and sensitive information.