In conjunction with a summit on cybersecurity conducted at Stanford University on February 13, President Obama signed an Executive Order to promote cybersecurity information sharing, both within the private sector and between government and the private sector.
The Executive Order requires the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).” These ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations. In addition, the National Cybersecurity and Communications Integration Center (NCCIC) will “engage in continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information related to cybersecurity risks and incidents, addressing such risks and incidents, and strengthening information security systems.”
In addition, the Order requires the Secretary of Homeland Security to enter into an agreement with a nongovernmental standards organization to identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs. The goal of the standards will be to create “robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information.”
In his remarks at the summit, the President said “[w]hen consumers share their personal information with companies, they deserve to know that it’s going to be protected. When government and industry share information about cyber threats, we’ve got to do so in a way that safeguards your personal information.” However, recent tension between Silicon Valley and Washington has focused precisely on that issue. Technology companies have expressed concern that if they provide a “back door” for government security agencies to enable them to foil or investigate cyberattacks, the information gathered through those “back doors” will be used by those same agencies to violate American citizens’ privacy rights.
Classified information leaked by Edward Snowden, a former NSA contractor, in 2013 revealed that those concerns are not without foundation. Expressing this tension, Apple CEO Tim Cook, while committing to “work productively” with the government at the February 13 summit, also said “[i]f those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money. We risk our way of life.”