By David Burg.
Last Friday, US President Barack Obama signed an executive order that further signifies cybersecurity information sharing is a top priority for the Obama Administration. The voluntary framework takes a strong—and necessary—stance on encouraging information sharing among industries as well as among the private sector and government agencies.
I was in the audience as President Obama signed the executive order at the White House Summit on Cybersecurity at Stanford University. Among the business leaders I spoke with, most expressed enthusiastic support for the executive order as an important and timely step toward improved security intelligence and response.
It’s also likely to prompt more US organizations to collaborate with others to boost awareness of cybersecurity threats and responses. While we’re seeing progress in this area, less than half (45%) of US respondents to The Global State of Information Security® Survey 2015 said they collaborate with businesses peers, industry groups, and government agencies.
Lisa Monaco, National Security Council advisor to President Obama, began the discussion by noting that the number of cybersecurity incidents have soared five-fold since 2009. “The seriousness of those breaches is rising, and they are causing more and more significant economic damage,” she said. “To put it bluntly, the cyberthreat is becoming more diverse, more sophisticated, and more dangerous.”
To battle these constantly evolving threat actors, Monaco called for a sustained and coordinated effort. “Cyber, like our counterterrorism efforts, requires a ‘whole of government’ approach that harnesses all the tools at our disposal—our diplomacy, our economic clout, our intelligence resources, our law enforcement expertise, our competitive technological edge, and, when necessary, our military power,” she told attendees.
Later, in a speech closing the daylong summit, President Obama emphasized that cyberattacks have become an increasingly serious threat to US businesses, the economy, national security, critical infrastructure, and individual privacy. “Attacks are getting more and more sophisticated every day,” he said. “So we have to be just as fast and flexible and nimble in constantly evolving our defenses.”
President Obama told the audience that the most effective way to disrupt more attacks is to approach the issue as a shared mission between the public and private sectors. “Government cannot do this alone. But the fact is that the private sector can’t do it alone either,” he said. “There is only one way: Government and industry must work together and share appropriate information as true partners.”
That’s a sentiment that several private-sector executives also voiced in various panel discussions. Anthony Earley, Jr., CEO of Pacific Gas & Electric (PG&E), noted that communication of actionable intelligence and threat indicators should be a two-way effort and it must be timely. He also stressed that the public-private partnership cannot be adversarial. “We have enough adversaries out there,” Earley said. “This has to be like a new Manhattan Project, where government and the private sector work together for a common goal to combat these real and pernicious threats.”
Using the NIST Cybersecurity Framework as a foundation
President Obama pointed out that the government is working with industry to encourage implementation of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which laid the groundwork for risk-based cybersecurity and created a common language for internal and external communication of cybersecurity issues. Throughout the day, several industry CEOs voiced support for the Framework, noting that it forms a good first step in implementing an effective information-sharing program.
In laying out the principles of the executive order, the President took great care to emphasize protection of the privacy and civil liberties of individuals. Noting that “we do more online than ever before,” including shop, manage bank accounts, and handle medical records, he stressed the importance of making cyberspace safe for families, students, and “digitally fearless” young people. Equally important, he noted that the executive order safeguards the confidentiality of shared business information.
A key way that the initiative aims to expand collaboration is through the creation of Information Sharing and Analysis Organizations (ISAOs), entities that are formed to share data within the private sector and between the private sector and government. Unlike today’s industry-specific Information Sharing and Analysis Centers (ISACs), membership in ISAOs will be more open. It can be based on region or as a response to a specific type of cyberthreat, and will be open to both public and private entities. I like this idea because, anytime you broaden the horizons of information sharing possibilities, more intelligence will be created.
The executive order also authorizes the newly created National Cybersecurity and Communications Integration Center (NCCIC) to collaborate with ISAOs on cyber-risks and incidents. That’s critical to the success of the NCCIC as a central clearinghouse for gathering, analyzing, and issuing alerts on threats, and should make collaboration faster and easier for private-sector businesses.
What’s more, ISAOs will be asked to comply with a set of voluntary standards that will be determined by a nongovernmental Standards Organization. Importantly, this organization will also be responsible for the development and adoption of automated mechanisms for information sharing. This is key because information sharing today is hobbled by a lack of a unified framework, platform, and data standards.
If an automated platform for information sharing among US government agencies and businesses is challenging, international cooperation may be even more daunting. As President Obama noted, boosting cooperation abroad will be “complicated” because “a lot of countries don’t necessarily share our investment or our commitment to openness.” While policies and regulations on data privacy vary widely across the globe, there is also no international standard for information sharing platforms and data or cross-border policies for law enforcement cooperation and ensuring that cybercriminals are held responsible.
The executive order also aims to make it easier for private-sector companies to get the classified threat information they need to protect themselves. To do so, it gives the Department of Homeland Security (DHS) the authority to approve and facilitate access to classified information. I think this is an important step because classified threat information can often provide valuable context to businesses that are monitoring for or responding to cyberattacks.
All things considered, the executive order delivers the right tone and support for creating a coordinated response to cyberthreats. If anything is missing, it’s concrete guidelines for creating a framework and technology infrastructure for real-time information sharing. Once the Standards Organization is formed, I’m planning to closely watch how it develops an information-sharing platform. Among businesses that have created proprietary platforms, the organization’s efforts will represent a chance to become involved and perhaps improve existing systems.
Finally, President Obama called on Congress to pass cybersecurity legislation this year. In doing so, he stressed that cybersecurity is not a Democratic or a Republican issue, nor is it a concern that is limited to liberal or conservative constituents. He summed it up by saying: “Everybody is online and everybody is vulnerable.”
The Global State of Information Security® is a registered trademark of International Data Group, Inc.