President Signs New Executive Order Establishing a Framework for Public-Private Cybersecurity Collaboration

SUMMARY

Earlier today, President Obama signed an Executive Order intended to “encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.” The Executive Order calls for the development of Information-Sharing and Analysis Organizations (“ISAOs”), made up of businesses, nonprofits, and government agencies, for the purpose of sharing information to combat cybersecurity threats. The Executive Order also directs the Secretary of Homeland Security to work with the private sector to develop a set of voluntary standards or guidelines to govern operation of the ISAOs. The new framework would also include certain protections for privacy and civil liberties, and for business confidentiality. Though mostly advisory in nature, the Executive Order is intended to promote responsiveness to combat cybersecurity threats. It follows several recent legislative and executive initiatives addressing cybersecurity.

BACKGROUND

The Obama Administration has placed a heightened emphasis on improving the country’s ability to defend against cyber threats, and one of its principal objectives is to encourage enhanced collaboration between the private and public sectors. In January of this year, President Obama sent to Congress proposed legislation that includes several proposed mechanisms designed to encourage private sector entities to better share cyber threat information amongst themselves and with the federal government. Earlier this month, the White House announced it was creating a new Cyber Threat Intelligence Integration Center to process and analyze cyber threat intelligence collected by various federal agencies. Cybersecurity has also been a focus of recent Congressional movement, including the introduction in the Senate of the “Cyber Threat Sharing Act of 2015,” legislation that would facilitate the sharing of cyber threat data between the private and public sectors and provide certain liability protections for private sector companies that share such data. Unveiling the new Executive Order today at a day-long “Summit on Cybersecurity and Consumer Protection” at Stanford University, which was attended by business, security, and privacy leaders from around the country, President Obama stressed the critical importance of collaboration between the private sector and the government to protect against cyber threats, and to safeguard individual privacy and civil liberties.

DISCUSSION

The Executive Order directs the Secretary of Homeland Security (“Secretary”) to encourage the creation of groups or communities of public sector or private sector organizations called ISAOs, to be organized by region, or industry, or in response to a common threat. The ISAOs would, in turn, collaborate with the National Cybersecurity and Communications Integration Center (“NCCIC”), an organization within the Department of Homeland Security, to share information about cybersecurity risks and incidents, and to improve information security systems.

The Executive Order also directs the Secretary to facilitate the creation of a non-governmental organization, the ISAO Standards Organization, to develop voluntary guidelines or standards that would govern the creation and functioning of ISAOs. These guidelines would not be limited to specific topics, but could address business contracts and processes, as well as privacy protections. The Secretary is directed to choose an organization to serve as the Standards Organization based on an open and competitive process, in collaboration with other federal agencies responsible for cybersecurity.

In an effort to streamline the process for private entities to access classified information about cybersecurity threats, the Executive Order also grants the Department of Homeland Security authority to approve agreements governing the sharing of classified information.

The Executive Order specifies that Federal agencies that are involved with ISAOs, in addition to adhering to any applicable voluntary privacy protections established by the Sandards Organization, would adhere to privacy and civil liberty protections based on the Federal Trade Commission’s existing Fair Information Practice Principles.

The Executive Order builds on prior executive action from February 2013—Executive Order 13636: Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive-2: Critical Infrastructure Security and Resilience—both of which laid the groundwork for private-public collaboration regarding cybersecurity by establishing a framework to help businesses evaluate their investments in cybersecurity. In addition, the new Executive Order is intended to complement the White House’s January 2015 legislative proposal. The Administration intends the ISAO framework to promote collaboration with federal agencies by reducing private-sector fears of liability for sharing sensitive information with the federal government. Although this type of liability protection will likely require legislation, this Executive Order is intended in part to promote adoption of such legislation in the near future.