On 13 February 2015, President Obama issued “Executive Order — Promoting Private Sector Cybersecurity Information Sharing.” The primary objective of the order was to Information Sharing and Analysis Organizations and voluntary standards for information sharing by critical infrastructure companies. This is the third in a series of cybersecurity executive orders issued annually each February since 2013.
What you need to know
By establishing a regimen for the development of voluntary information sharing standards, this executive order is getting a head start on proposed cyber security legislation that the White House recently sent to Congress in January. The last attempt in 2012 to get a cybersecurity act through Congress failed, mostly due to intervention from privacy advocates and concerns about increasing regulatory burdens on critical infrastructure businesses. However, following that failure, the President in 2013 issued “Executive Order — Improving Critical Infrastructure Cybersecurity.” That order resulted in the Cybersecurity Framework, which has been accepted well by industry as a baseline standard for critical infrastructure protection. This new executive order is about as far as the executive branch can extend its authority without further legislation. With all the major cyber attacks since 2012, and with the Sony and Anthem hacks fresh in the minds of business executives, the public, and politicians, the resistance to new regulations should be less than it was in 2012.
Operators of critical infrastructure should:
1 – Participate in the development of the voluntary information sharing standards
2 – Identify information that can be shared without legal liability concerns
2 – Prepare for legislation that will provide legal protection for information sharing.
The Executive Order doesn’t change much for critical infrastructure companies – current cybersecurity policies should not be affected directly. It does not direct government agencies to review current regulations or make changes to them. The executive order calls for consultation on voluntary standards. Depending on what comes out of voluntary standards and the Executive Order, companies could make voluntary changes to their policies based on them.
There are no requirements for companies to share information with the Information Sharing and Analysis Organizations that are established in this executive order. Sharing is voluntary and not mandatory. For companies that decide to share information, there are legal risks. Until there is legislation that provides more specific legal protections, this executive order is not likely to have much effect, other than laying the groundwork for an information sharing regime.
The window for legislative action is open. All the major hacks that have happened since 2012, especially Sony, received a lot of political attention, and also attention from boards of directors and CEOs. There are special interests who are concerned about privacy and civil liberties, and there are other special interests who are concerned about putting more regulatory mandates on companies. As far as the latter, legislation on information sharing will be much less onerous than the cybersecurity audit rules proposed in the Cybersecurity Act of 2012. The time to bring all sides in Congress together is right now while what happened at Sony and Anthem are still fresh in the mind.