Potentially side-stepping some failed legislation, President Obama has announced a new executive order mandating enhanced cyber security for the US. The order, which will be driven by the Department of Homeland Security (DHS), is intended to streamline the process of sharing information about threats between US businesses, law enforcement, and the US government itself.
The order “calls for a common set of standards” and will include “protection for privacy and civil liberties.” Additionally, “classified threat information can often provide valuable context to network defenders and enhance their ability to protect their systems,” so information shared with the public sector will be doled out by a division of Homeland Security to pre-selected groups for wide distribution to “Information Sharing and Analysis Organizations” (ISAO).
Private sector groups selected by the DHS to receive and disseminate information will be required to “agree to abide by a common set of voluntary standards, which will include privacy protections, such as minimization, for ISAO operation and ISAO member participation. In addition, agencies collaborating with ISAOs under this order will coordinate their activities with their senior agency officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are in place and are based upon the Fair Information Practice Principles.”
The order’s introductory language is reminiscent of the failed Cyber Intelligence Sharing and Protection Act (CISPA) bill. The bill failed in both 2012 and 2013, amid concerns of “broad language” and threats to privacy. The threat of a presidential veto is what caused the bill to fail in 2013, despite passage from the Republican-controlled House in both 2012 and 2013. It is not yet clear what differs in the executive order, and the various CISPA drafts.
The executive order doesn’t mandate what will be done to ensure civil liberties will be maintained, nor does it address the contentious issue of company’s protection from liability as a result of complying with the executive order. Restrictions, and authorized users, of collected data are not yet known either. A source of funding for the new program has not been identified.