On February 13, 2015, at the White House’s Cybersecurity and Consumer Protection Summit at Stanford University, President Obama signed an executive order promoting private sector cybersecurity information sharing (“Executive Order”). Building on the current cybersecurity information sharing efforts of Information Sharing and Analysis Centers and groups such as the National Cyber-Forensics and Training Alliance, the new Executive Order emphasizes the need for private companies, non-profit organizations and government agencies to share information about cyber threats, vulnerabilities and incidents. Its purpose is to facilitate private-private and public-private cybersecurity information sharing while (1) protecting the privacy and civil liberties of individuals; (2) protecting business confidentiality; (3) safeguarding shared information; and (4) protecting the government’s ability to detect, investigate, prevent and respond to cyber threats.
The Executive Order directs the Department of Homeland Security (“DHS”), in consultation with other federal agencies, to “strongly encourage” the development and formation of voluntary Information Sharing and Analysis Organizations (“ISAOs”). An ISAO may be organized based on sector, sub-sector, region or other affinity, including in response to a particular threat or vulnerability. It may be a for-profit or non-profit entity, and may take on a variety of forms, including a community group, membership organization, or even an individual company that shares information among its customers or partners. DHS will fund a non-governmental organization to serve as a standards organization that identifies a common set of voluntary standards for the creation and functioning of ISAOs. The mission of the standards organization will be to make collaboration safer, faster and easier, and to ensure greater coordination within the private sector to respond to cyber threats.
The Executive Order streamlines the process through which DHS enters into information sharing arrangements with ISAOs. Specifically, it directs the National Cybersecurity and Communications Integration Center at DHS (“NCCIC”) to engage in continuous, collaborative and inclusive coordination with ISAOs with respect to sharing cybersecurity information, addressing cyber risks and incidents, and strengthening information security systems.
The Executive Order addresses privacy concerns by ensuring that ISAOs agree to abide by a common set of privacy standards, and that agencies collaborating with ISAOs coordinate their activities with senior privacy officials and ensure the incorporation of appropriate privacy protections.
In addition, the Executive Order makes it easier for ISAOs and individual companies to access classified cybersecurity information by amending Executive Order 12829 on the National Industrial Security Program. As amended, Executive Order 12829 now gives DHS the authority to approve classified information sharing arrangements and ensure that information sharing entities can appropriately access classified cybersecurity information.