Thursday, February 26, 2015

Obama’s New Order Urges Companies to Share Cyber-Threat Info With the Government

US President Barack Obama arrives to speak at the White House Summit on Cybersecurity and Consumer Protection at Stanford University in Palo Alto on February 13, 2015. President Barack Obama announced a new Executive Order today aimed at facilitating the sharing of information about cyber-threats between private sector companies and the government.
Speaking at a cybersecurity summit convened by the White House at Stanford University, Obama signed the order on stage to promote information sharing both within the private sector and between the private sector and the government.
The order, he said, “calls for a common set of standards, including protection for privacy and civil liberties” and is intended to make it easier for companies to get the classified cyber-threat information that they need to protect themselves. “Classified threat information can often provide valuable context to network defenders and enhance their ability to protect their systems,” the order reads.
The order establishes the Department of Homeland Security as the agency in charge of handling the information sharing. The latter is no doubt designed to alleviate fears about the National Security Agency taking a lead role and possibly using the information for surveillance purposes.
DHS will oversee the collection and dissemination of information to the appropriate federal agencies and to the private sector through so-called Information Sharing and Analysis Organizations. These are various groups or communities formed of companies, government agencies or non-profit groups with a common interest in various sectors so that they can share information relevant to them—for example, companies in the financial sector or the energy sector.
The order further requires DHS to work with the attorney general to develop guidelines for how the government collects and handles the shared data. The shared data would include “indicators of compromise.” These can be the IP addresses from which attacks occur, malware samples and phishing emails and other information about techniques attackers use to gain access to systems.
The Executive Order does not give companies protection from liability when they share information; lawmakers will have to do that through legislation. This has been a sticking point for civil liberties groups with many of the cybersecurity laws proposed so far. When companies discuss legal immunity it harkens back to the immunity that lawmakers gave telecoms after the Bush administration’s warrantless surveillance program was unearthed in 2005. As WIRED reported in 2006, AT&T had installed a secret room at a facility in San Francisco believed to have been used by the NSA for monitoring communications crossing fiberoptic cables.
Civil liberties groups are concerned about what kind of information could be shared with the government about users if data isn’t sufficiently anonymized or otherwise protected. They’ve also been concerned about how that information might be used for law enforcement or intelligence purposes, beyond use of the data for detecting and fighting threats.
On the matter of privacy and civil liberties, the Executive Order asserts that all private-sector ISAOs will also be expected to “agree to abide by a common set of voluntary standards, which will include privacy protections, such as minimization, for ISAO operation and ISAO member participation. In addition, agencies collaborating with ISAOs under this order will coordinate their activities with their senior agency officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are in place and are based upon the Fair Information Practice Principles.”
Obama did not elaborate on what kinds of privacy and civil liberties protections would be put in place for the information-sharing program. This presumably would be left to DHS and the attorney general to work out
Disqus Comments