On 13 February 2015, President Obama signed an Executive Order strongly promoting (but not compelling) the sharing of cybersecurity information between all types of private and public entities. This approach reflects the belief that the rapid dissemination of accurate intelligence regarding cyber threats will be the best way to cultivate cybersecurity. Central to this US strategy is the encouragement of private participation, and organisations will have the opportunity to have a say on both the new standards and the standard-setting organization established by Executive Order.
The Order builds upon the previous cybersecurity groundwork laid by President Obama’s Executive Order of 12 February 2013 (Improving Critical Infrastructure Cybersecurity) and the key information sharing legislation passed in December 2014: The National Cybersecurity Protection Act 2014 and The Cybersecurity Enhancement Act 2014.
In order to facilitate improved cybersecurity, the Order calls for the creation of, and participation in, ISAOs (information sharing and analysis organisations). More specifically, “In encouraging the creation of ISAOs, the Executive Order expands information sharing by encouraging the formation of communities that share information across a region or in response to a specific emerging cyber threat. An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.” The National Cybersecurity and Communications Integration Center (NCCIC) shall then “engage in continuous, collaborative, and inclusive coordination with ISAOs”. Consequently, the ability of government agencies to enter into consensual (and reciprocal) information sharing agreements forms the foundation of the Obama administration’s cybersecurity strategy.
Given that the Order does not require private participation, the administration appears keen to emphasise private participation in standard setting and the potentially reciprocal and tailored nature of any deal. Pursuant to section 3(a) of the Order, the Standards Organisation (SO) will be a nongovernmental entity selected through a competitive process. The SO will develop common sets of voluntary standards for information sharing, such as: contractual agreements, business procedures, the technical means of delivery and privacy protections. Under sections 3(c) and (d), these standards will be subject to public review and should be consistent with international standards. International companies doing business in the US may therefore want to take the opportunity to weigh in and help shape the standards.
Another point to note is that classified threat information held by the government may be released to private companies when facing an appropriate risk (however, no further guidance has yet been provided on this).
Lastly, the Order attempts to combat concerns for private sector civil liberties by placing an obligation on public agencies to conduct regular assessments of their own activities. Not a particularly onerous obligation, it must be said.
Overall the Order will be viewed as carrot rather than a stick. By allowing private entities to collaborate in setting minimum standards for information sharing, with the added security that individual information sharing agreements can be tailored to purpose, the US government is allaying fears of an Orwellian surveillance state. However, whether a kind invitation to the cybersecurity party will be enough to tempt companies into sharing information remains to be seen.
The private sector will have the opportunity to shape the future of US cybersecurity and information sharing obligations. The Department of Homeland Security is currently welcoming private sector ideas regarding potential ISAO voluntary guidelines and the SO at email@example.com, however no timeline has yet been announced regarding the conclusion of this consultation period or the operation of the SO (check here for further updates). If your organisation is interested in taking part in these consultations, please contact us and we will liaise with our US counterparts to facilitate this.
With thanks to Dominique R. Shelton, Litigation Partner, Alston & Bird LLP, Los Angeles for her contribution to this article.