Government Contracts Monitor

Executive Order Promotes Private Sector Cybersecurity Information Sharing

March 9, 2015

By: Eric Whytsell

On February 13, 2015, President Barack Obama issued an executive order (Order) intended to encourage the sharing of information related to cybersecurity risks and incidents within the private sector and between the private sector and government. Building upon the foundation established by Executive Order 13636 (Improving Critical Infrastructure Cybersecurity), and Presidential Policy Directive-21 (PPD-21) (Critical Infrastructure Security and Resilience), the Order establishes a framework for expanded information sharing designed to help companies work together and with the federal government, to quickly identify and protect against cyber threats.

At the same time, the Order seeks to ensure that such information sharing is conducted in a manner that: (i) protects the privacy and civil liberties of individuals; (ii) preserves business confidentiality; (iii) safeguards the information being shared; and (iv) protects the Government’s ability to detect, investigate, prevent, and respond to cyber threats to the public health and safety, national security, and economic security of the United States.

A central aspect of the Order is its direction that the Secretary of Homeland Security (Secretary) “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs)” with members drawn from the public and/or private sectors. The Secretary is also directed to drive the development of “a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order.” The resulting standards should advance the goal of creating robust sharing of cybersecurity information with and among ISAOs, “to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information.”

The Order streamlines the mechanism by which the National Cybersecurity and Communications Integration Center enters into information sharing agreements with ISAOs in the hopes that robust, voluntary public/private information sharing continues and expands. The Order addresses privacy and civil liberties concerns by ensuring that ISAOs agree to abide by a common set of privacy standards and that agency officials working with ISAOs coordinate their activities with senior privacy officials and employ appropriate privacy protections.

It also seeks to make private sector access to classified cybersecurity information easier by amending Executive Order 12829 concerning the National Industrial Security Program. As amended, the prior executive order now allows DHS to approve classified information sharing arrangements and takes steps to ensure that information sharing entities can appropriately access classified cybersecurity information.

Finally, the Order paves the way for new, more expansive legislation by promoting the concept of ISAOs as a framework for the targeted liability protections that the Obama Administration has long asserted are key to successfully expanding cybersecurity information sharing. On that front, Senator Tom Carper (D-Del.) last month introduced legislation similar to a legislative proposal issued by the White House last month: S. 456: Cyber Threat Sharing Act of 2015, which would limit the liability of companies that voluntarily disclose cyber threat indicators.

Attorneys