Near the end of President Obama’s State of the Union address, he addressed the need for cybersecurity reform. He also confirmed the long standing rumor that he would indeed be signing an executive order into law that helps increase information sharing between the government and private corporations. What’s surprising, however, is that it does address many of the privacy concerns that privacy proponents had with bills like CISPA and CSA.
With that being said, let’s get into the nitty gritty of the executive order, shall we? First up are details on how information sharing between public government entities and private corporations will work:
Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.
(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.
(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
In short, this part of the order makes it easier for government and companies to share information between themselves. This is what CISPA and CSA hoped to accomplish, and this executive order accomplishes pretty much the same thing.
What could be worrisome about this part of the order is that it makes it too easy to share information, but that would only be a concern if extensive privacy protections were not put in place. That’s where the next part of the order comes in:
Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.
(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.
(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).
(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.
As you can see, the above text illustrates that the Obama administration has built some decent privacy protections into the executive order. It’s a major relief since some were concerned that the executive order would be just like CISPA, privacy violations and all.
If you don’t want to take my word for it, the privacy protections in the executive order also got a pass from the ACLU. The organization’s Legislative Counsel Michelle Richardson had this to say about it:
“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties. For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information. More encouragingly, the adoption of Fair Information Practice Principles for internal information sharing demonstrates a commitment to tried-and-true privacy practices – like consent, transparency, minimization and use limitations. If new information sharing authorities are granted—especially the overbroad ones being pondered by the House – these principles will be more important than ever. We look forward to working with the administration to make sure that the devil isn’t in the details when privacy regulations are drafted.”
Section seven of the order contains a number of strategies to be implemented by the government to address and counter any cyber attacks directed at critical infrastructure. The central point is the creation of a “cybersecurity framework” that will include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” Keeping transparency as a central theme, the Director of the National Institute of Standards and Technology will “engage in an open and public review and comment process” during the creation of said framework.
Government agencies will be required to implement the above framework, but it’s entirely voluntary for private operators of critical infrastructure. That being said, the Obama administration will be doing its damnest to convince these private institutions to incorporate cybersecurity standards. One way the administration will be doing this is through the creation of an incentive program that will be pitched to the administration within 120 days. It will then be implemented by the President if it does not require the passage of new laws. If it does, Obama will take his case to Congress.
Finally, the order calls upon the government to seek out infrastructure that’s at the greatest risk of cyberattacks. Once they’ve been identified, the government will work with these organizations to make sure that any risk of cyberattacks are mitigated. As such, these organizations have the chance to make their case, every two years, for whether the cybersecurity standards placed upon them are “regulatory burdens.”
There’s sure to be a lot of talk about this cybersecurity executive order over the coming months. In his speech last night, President Obama indicated as much saying this order is meant to force Congress’ hand in passing extensive cybersecurity legislation. That being said, the order’s emphasis on privacy and civil rights protections makes me hopeful that the administration will smack down any attempts to revive CISPA this year.