This week marks the second anniversary of President Obama’s executive order on cybersecurity, a document that has shaped the cyberpolicy landscape since Feb. 12, 2013.
The president will mark the occasion by announcing a new “executive action” aimed at increasing the government-private sector information flow on cyber threats. The executive action — it’s not an executive order — will be unveiled during a Feb. 13 speech at Stanford University, where Obama is convening a “CEO summit” on cybersecurity.
Plans for a summit to address consumer data security were announced last fall, but the White House appears to have broadened the scope following the violent cyberattack on Sony Pictures.
“Sony really threw the administration for a loop and showed significant gaps in the policy,” said a financial-sector expert on cybersecurity.
The government’s cybersecurity efforts over the past two years have focused on protecting “critical infrastructure” such as banks and the electricity grid, but the Sony attack demonstrated how a vulnerability in an unexpected place — a movie studio, for instance — could have dramatic repercussions.
Whether the potential target is the financial sector, energy or retail, the government and businesses alike see improved information sharing as a vital missing ingredient in the policy mix.
It’s also the number one item on the new Congress’s cybersecurity to-do list. The government often has information on imminent or simmering cybersecurity threats, but struggles to push it out to the private sector amid legal and national security constraints.
U.S. businesses often have technical clues that could help thwart or limit the damage from a cyberattack – whether it’s a nation-state sponsored act of aggression or a criminal hack. But industry can be reluctant to share those clues amid fears of possible legal liability.
Determining the appropriate level of liability protection, while ensuring the sanctity of privacy and civil liberties, hobbled efforts to pass an information-sharing bill last year.
Lingering disagreements over the same issues were evident last month when Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis., held his first hearing of the year.
Industry witnesses said Obama’s legislative proposal on information sharing, unveiled prior to the State of the Union address, is much too narrow because it wouldn’t protect sharing between companies and would only extend liability coverage in a tightly defined space.
But Greg Nojeim of the Center for Democracy and Technology said the White House plan doesn’t do enough to ensure personal data is stripped from information shared with the government. Nojeim and other online privacy advocates want to see laws covering National Security Agency surveillance overhauled before Congress authorizes enhanced information sharing between the private sector and government.
Lawmakers and interest groups are bracing for an information-sharing debate that could unfold on Capitol Hill this spring.
In the meantime, Senate Commerce Committee Chairman John Thune, R-S.D., and other lawmakers believe a review of the 2013 executive order and the subsequent release of the National Institute of Standards and Technology’s framework of cybersecurity standards could be helpful.
Thune convened a hearing last week on experiences so far with the NIST framework.
One message from cybersecurity stakeholders: The framework and executive order have been successful because they both recognized the central role of the private sector while distilling the best thinking, from many quarters, into coherent policy documents.
The order was developed by Obama’s White House team but it leans heavily on the work of a 2011 House Republican task force put together by Speaker John Boehner, R-Ohio.
The GOP task force determined that only a flexible, industry-led approach could succeed in cyberspace. After the failure of detailed and prescriptive cybersecurity legislation in 2012, the Obama administration took a step back and largely agreed with the Republicans’ assessment. The result was the executive order in early 2013. That order promoted enhanced information sharing within existing legal authorities and provided a way for private-sector critical infrastructure operators to get security clearances.
Most significantly, it ordered NIST to craft a voluntary framework of cybersecurity standards.
One year later, NIST unveiled its framework at a White House ceremony.
“In the year since we announced the Cybersecurity Framework, it has emerged as a firm foundation for our cybersecurity conversations with the private sector,” White House cybersecurity coordinator Michael Daniel said in an email. “With the framework, we now have a shared cybersecurity vocabulary that will allow CEOs, governors and policymakers around the world to describe their cybersecurity posture and set targets to aspire to.”
The private sector has found value in the product “largely due to the open and inclusive process we used to build the Framework,” Daniel said. “It represents the best consensus of industry, academia, privacy advocates and the government, and that has made the Framework relevant and comprehensible to security professionals and decision-makers.”
Now, the president is looking to build out from there with his latest executive action.
“They’re getting the pieces in place,” an industry source said of Obama’s upcoming announcement. “But the executive action doesn’t eliminate the need for legislation” to address the liability issue, the source cautioned.
The executive action fits into a pattern, where the White House has moved aggressively to fill vacuums in cybersecurity policymaking with its own prescriptions.
Whether the White House and congressional Republicans can bridge differences over information sharing will be the defining cyberpolicy question of the year.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
