By: Jeb Harmon
In December of 2014, Sony Pictures Entertainment turned to the Federal Bureau of Investigation (FBI) for protection and answers after North Korea allegedly targeted the company following the release of the movie “The Interview,” a comedy depicting two American journalists tasked with killing North Korea leader Kim Jong-un. The hackers leaked compromising emails between high level Sony executives, which eventually prompted Sony Chair Amy Pascal to resign this February. The hackers threatened the public at large by sending the following message: “The world will be full of fear. Remember the 11th of September 2001,” which led many theaters to cancel the showing of the film. The FBI traced the source of the attack to a group called the Guardians of Peace, which the FBI believes is linked to North Korea. While the North Korean cyber-attack on Sony was a unique attempt to cripple a Hollywood powerhouse, there were more than 1,500 data breaches on private businesses and governments worldwide in 2014, a 50% increase from the previous year. The growth in cyber attacks is extremely troubling, given the amount of sensitive information that individuals store on the Internet. The White House warns that “because of the interconnected nature of the Internet, no one is isolated from these [cyber] threats.”
On Friday February 13, 2015, President Obama responded to a greater need for collective action against cyber-threats by signing Executive Order 13587—Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. This Executive Order will enable companies to work alongside the federal government in order to identify and to protect themselves as well as the private sector from cyber threats, by creating a framework that encourages voluntary and expansive information-sharing. The Order calls for a voluntary information-sharing framework in three areas: (i) collaboration in the private sector, (ii) collaboration between private businesses and the federal government, and (iii) privacy and civil liberty protections. The Executive Order prompts the Department of Homeland Security (DHS) to share cyber-threat information with the private sector, and also for private sector companies to voluntarily share such information among themselves.
The President’s Executive Order will promote the sharing of classified, relevant data between federal agencies and private companies. Currently, most private-public sharing is based on a Clinton-era framework, which prioritized information-sharing around various economic sectors—banks, energy and power, telecommunications—that the Clinton Administration believed were crucial to national interest.
In order to create a more flexible approach toward sharing classified cyber security information, the Executive Order calls for the creation and improvement of Information Sharing and Analysis Organizations (ISAOs). These organizations are defined by the Critical Infrastructure Information Act of 2002 Section 212(5), Codified 6 U.S. Code § 131, as “any formal or informal entity or collaboration created or employed by public or private sector organizations,” for purposes of (1) gathering and analyzing critical infrastructure information for understanding security issues, (2) communicating or disclosing critical infrastructure information to prevent or mitigate from the effects of an interference, and (3) voluntarily disseminating such information to government or other entities. Under the Executive Order, an ISAO can be a not-for-profit community, a membership organization, or a single company, which aims to foster a partnership between the federal government and private businesses based on industry-specific, threat-specific, or even regionally-based information needs.
The U.S. Department of Homeland Security will also work alongside companies to create baseline standards and practices in order to guide the information-sharing between federal agencies and the companies involved. DHS will create a nonprofit to administer these best practice guidelines to ISAOs. A CEO of one such involved company, American Express Chairman and CEO Kenneth Chenault, believes that the Executive Order will improve industry-sharing in general. For example, he explained that American Express tracks over “100,000 attack indicators yearly from various sources, but only 5% come from industry-sharing through [their] ISAC (Information Sharing and Analysis Center) and less than 1% come from the government.” Currently, the private sector plays a critical role in defending private networks across the United States, and the President believes that this Executive Order will create a framework that allows the federal government and private businesses to work together to thwart cyber-attacks, such as the one the Guardians of Peace launched on Sony.
The Executive Order will streamline signing of agreements with the federal government and will grant DHS new powers with regards to private-public information sharing. Under the Executive Order, DHS will use the Agency’s National Cybersecurity and Communications Integration Center, which analyzes cyber threats, to serve as the hub from which private businesses can enter into information-sharing agreements with the federal government. In 2014, the DHS center detected some 64,000 vulnerabilities on federal and non-federal systems. (At the time of writing this blog, Congress will continue to fund DHS through the end of the budget year, and as such Congress’s decision quells for now DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment’s fear that a shutdown would weaken the center’s ability to respond to cybersecurity threats). Lastly, this voluntary creation of common standards includes protections for consumer privacy and civil liberties by requiring that Federal agencies collaborating with ISAOs confirm and receive approval from their senior agency officials for any information-sharing activities.
There has been both support and criticism of the President’s executive action from lawmakers as well as the general public. From a private sector standpoint, Greg Nojeim, Senior Counsel at the Center for Democracy and Technology, said that the Executive Order’s establishment of ISAOs and accompanying guidelines will allow companies to “know what will be done with the information they share.” He believes the Executive Order will create trust between the Federal government and the private sector. Nojem also told Federal Computer Weekly that it was better to have the DHS establish such information-sharing agreements itself, as opposed to the National Security Agency, given the controversy surrounding government surveillance that erupted last year. Some titans of the private sector have already expressed their willingness to share information with the federal government, as Apple, Intel, Bank of America, Kaiser Permanente and Pacific Gas & Electric, among many others, have already committed to signing such information-sharing agreements with the DHS.
However, Mike Brown, a vice president with a security division of EMC Corp., a cloud computing company, believes that many companies will be hesitant to sign such agreements because the Executive Order does not provide protection from liability. For this reason, Senator Tom Carper (D-Del.) introduced the following legislation, The Cyber Threat Sharing Act of 2015, which would “grant liability protections to companies for sharing cyber threat data.” If passed, the Act could remove some of the concerns companies have regarding liability. Yet there is a weakness with the proposed legislation in that it authorizes any self-certified group of security analysts to act as ISAOs in gathering data, yet the bill provides little oversight over these groups to control for how they would use the data.
In Congress, several lawmakers have also supported the Executive Order as another weapon against cyber attacks. California Representative Adam Schiff, the ranking Democrat on the House Intelligence Committee, praised the President’s efforts to secure America’s public and private networks from cyber attacks and espionage. Meanwhile, Speaker of the House John Boehner, through a spokesman, said that “Unilateral, top-down solutions will not solve America’s cyber problems,” and he urged the President to work with Republicans in Congress to create an information-sharing bill instead of imposing an Executive Order.
Although some members of Congress disagree with the Executive Order, Congress has passed key pieces of cybersecurity legislation in the past, such as three cybersecurity bills which were signed by the President last December, in order to further protect government agencies and private businesses from cyber-attacks attacks: The Federal Information Security Modernization Act of 2014, the National Cybersecurity Protection Act, and the DHS Cybersecurity Workforce Recruitment and Retention Act. Congress’ past bipartisanship with regards to cybersecurity shows that this is perhaps a field where Congressional gridlock is not as contentious as it is for other major policy areas.
In the wake of the Edward Snowden leak on the National Security Administration (NSA), the Obama Administration’s tapping of journalists’ cell phones, and the NSA bugging of world leaders’ phones, the Obama Administration has many steps to take in earning the public’s trust in order to undergo massive data collection in the name of national security. As the Executive Order calls for voluntary sharing of information between the private and public sector, perhaps many companies will be less willing to share such information until the Administration can assure them that such data sharing is not merely window dressing for government surveillance of U.S. companies. Yet, after the alleged North Korean attack on Sony Pictures, it remains clear that a fine line must be drawn somewhere between allowing the government to defend against cyber attacks and preventing the government from data collecting from (spying on) private organizations.
The President’s Executive Order and Congress’s proposed bills may be trying to draw such a line for the first time. However, it is up to the American People and, ultimately, Congress to ensure that civil liberties will be protected when the final line is drawn.