Obama expands info sharing with executive order

President Barack Obama on Feb. 13 signed an executive order to further encourage the sharing of cyber-threat information between the Department of Homeland Security and the private sector. It is the latest push by the administration to foster a clearer view among corporations and federal agencies of malicious cyber threats that officials say have intensified in recent months.

"This has to be a shared mission," Obama said in a speech at Stanford University. "So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone."

The executive order encourages exchanges beyond established, sector-specific information sharing and analysis centers. Under the directive, an information sharing and analysis organization (ISAO) could be anything from a "non-for-profit community" to a "membership organization" or a single firm, according to a White House summary.

Greg Nojeim, senior counsel at the Center for Democracy and Technology, said the establishment of ISAOs and accompanying guidelines for private firms to share information could increase trust in the process. Companies will be more comfortable sharing information with ISAOs because "they'll know what will be done with the information they share," he said.

Obama stressed the theme of technological vulnerability in making the case for his directive. "The same information technologies that help make our military the most advanced in the world are targeted by hackers from China and Russia who go after our defense contractors and systems that are built for our troops," he said.

The executive order directs DHS to set up a nonprofit organization to develop a common set of voluntary standards ISAOs can follow. A National Security Council spokesperson said the nonprofit's staffing and relationship to DHS is still being hashed out.

The executive order bolsters DHS's National Cybersecurity and Communications Integration Center as the hub for private firms to share cyber-threat data by making it easier for ISAOs to enter information-sharing agreements with the center. NCCIC, an around-the-clock center for analyzing and disseminating threat information, has been central to the administration's focus on cybersecurity. In 2014, the center received about 97,000 incident reports and detected some 64,000 vulnerabilities on federal and non-federal systems, DHS Assistant Secretary of Cybersecurity and Communications Andy Ozment told lawmakers Feb. 12.

Privacy in the spotlight

The executive order builds on the White House's recent legislative proposal on information sharing, which seeks common ground with Congress on what has been a contentious issue. Congress has considered information-sharing bills in various forms in recent years, but the legislation has stalled in the Senate in the face of opposition from privacy and civil liberties groups.

Administration officials hope enhanced privacy provisions will win a critical mass of support in Congress for the proposal, or some variation of it. But so far the White House proposal has drawn mixed reactions.

For Nojeim, the elevation of DHS's role in information sharing could be good for privacy. Better to have DHS handling cyber threat data from private firms than the far less transparent National Security Agency, he said.

The risk of overreliance on info sharing

Administration officials have long called for closer public-private collaboration on cybersecurity, and that is where things are heading, according to Tenable Network Security CEO Ron Gula.

"We might find ourselves in a situation -- it might be five years from now, it might be 10 years from now -- where the U.S. government has a much, much more active role in the day-to-day security operations of a commercial organization," he said.

Gula, a former IT professional at the NSA, welcomed the executive order but cautioned against seeing information sharing as a panacea for U.S. vulnerabilities in cyberspace.

Matthew Loeb, chief executive of ISACA, a global association of IT professionals, said information sharing between government and industry is about developing "transparency across the system to ensure that there can be information sharing as needed."

The White House-led security summit, which featured Apple CEO Tim Cook and a host of other corporate executives, laid the foundation for greater government-industry dialogue on cybersecurity, said Loeb, who was on hand for the summit in Palo Alto, Calif.