(Editor’s note: The Broadband Report is a regular feature in WRAL TechWire.)
WASHINGTON, D.C. – Rapid information sharing is an essential element of effective cybersecurity, because it enables companies to work together to respond to threats, rather than operating alone, according to a recent White House announcement this month.
Painting the Picture
According to NASDAQ, the reason for the government’s cybersecurity push is the staggering amount of money spent preventing and responding to cyber threats every year.
For example, NASDAQ reported that IBM claims its client companies are attacked 16,856 times per year on average. But, it isn’t just tech firms that are being targeted.
In March 2014, eBay reported hackers accessed all user records, compromising 145 million people. In April 2014, Home Depot said millions of its customers had their credit card information stolen, costing the company $148 million. In July 2014, JPMorgan Chase reported 76 million accounts had been accessed by international hackers. Last November, the biggest cybercrime story of 2014 went to Sony, costing the company $100 million and comprised every single piece of information in their systems. Even as recent as this month, healthcare firm Anthem reported that 80 million personal records had been breached.
The president’s new executive order is said to provide a framework for expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats.
Encouraging Private-Sector Cybersecurity Collaboration
This order encourages the development of Information Sharing and Analysis Organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. Information Sharing and Analysis Centers (ISACs) are already essential drivers of effective cybersecurity collaboration, and could constitute ISAOs under this new framework. In encouraging the creation of ISAOs, the president’s plan looks to expand information sharing by encouraging the formation of communities that share information across a region or in response to a specific emerging cyber threat. An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.
The order also directs the U.S. Department of Homeland Security to fund the creation of a non-profit organization to develop a common set of voluntary standards for ISAOs. Developing this baseline will enable ISAOs to quickly demonstrate their policies and security protocols to potential partners. This, as the order notes, will make collaboration safer, faster and easier, and ensure greater coordination within the private sector to respond to cyber threats.
Enabling Better Private-Public Information Sharing
A White House Fact Sheet noted that this order also seeks to clarify Homeland Security’s authority to enter into agreements with information sharing organizations and to increase collaboration between ISAOs and the federal government by streamlining the mechanism for the National Cybersecurity and Communications Integration Center (NCCIC) to enter into information sharing agreements with ISAOs. This, according to the White House, will ensure that robust, voluntary information sharing continues and expands between the public and private sectors.
Classified threat information can often provide valuable context to network defenders and enhance their ability to protect their systems. The order aims to streamline a private-sector company’s ability to access classified cybersecurity threat information. It also adds Homeland Security to the list of federal agencies that approve classified information sharing arrangements and takes steps to ensure information sharing entities can appropriately access classified cybersecurity threat information.
Providing Strong Privacy and Civil Liberties Protections
Information sharing enabled by this new framework will include strong protections for privacy and civil liberties. Private sector ISAOs will agree to abide by a common set of voluntary standards, which will include privacy protections. In addition, agencies collaborating with ISAOs under this order will coordinate their activities with senior agency officials for privacy and civil liberties to ensure appropriate protections are in place and are based upon the Fair Information Practice Principles.
Paving the Way for Future Legislation
The Obama Administration’s January 2015 legislative proposal looks to put in place policies that build out the concept of ISAOs as a framework. The president intends for this proposal to complement and not to limit existing effective relationships between government and the private sector.
