The White House is expected to release an executive action next week expanding administration efforts to facilitate cybersecurity information sharing between the private sector and Department of Homeland Security (DHS).
According to several people familiar with the upcoming announcement, President Obama will unveil the plan at the administration’s cybersecurity summit on Feb. 13 at Stanford University.
{mosads}The White House, which is calling the plan an “executive action,” not an executive order, will likely detail a strategy to clarify how private companies can share cyber threat data with the DHS’s cyber info hub, the National Cybersecurity and Communications Integration Center (NCCIC).
The NCCIC has been in existence for a number of years, but has been bedeviled by a complicated and slow process for the public and private sectors to swap cyber info.
The White House has put the DHS info-sharing hub at the middle of its cybersecurity agenda.
In early January, the administration laid out a series of cyber policy initiatives, including a legislative proposal that would provide legal liability protection for companies willing to share cyber data with the NCCIC.
The upcoming executive action is likely an attempt to make its proposal to Congress more appealing.
In addition to NCCIC’s info-sharing bureaucratic challenges, the center wasn’t officially authorized by Congress until late last year and hasn’t been central to lawmakers’ cyber info-sharing attempts.
Industry groups and government officials have long argued both sides must share greater quantities of cyber intelligence data to bolster the country’s cyber defenses.
But companies worry sharing such information with the government could open them up to lawsuits or regulatory action. Privacy advocates are also fearful such an exchange could create another venue for the government to collect Americans’ personal information.
The executive action isn’t likely to fully address either of those major issues, causing some in the private sector to wonder how much the White House can actually accomplish. It’s widely believed legislation is required to tackle those challenges.
Still, many see the action as a potentially encouraging next step. It’s a chance to keep the administration’s cyber agenda in the public discussion and provide more details on some of the opaque parts of the White House’s legislative offering on information sharing.
One particular area Obama is expected to address is how NCCIC might interact with the private sector information-sharing hubs the White House described in its proposed bill.
The NCCIC already works with industry-specific hubs, known as Information Sharing and Analysis Centers (ISAC). But in its proposed measure, the White House laid out a plan for the NCCIC to swap data with Information Sharing and Analysis Organizations (ISAO).
It may seem like a small difference, but ISAOs are intended to cut across multiple industries, according to a senior administration official. An ISAO could be regionally-based or based on company size, for instance. But unlike the ISACs, ISAOs don’t really exist yet.
“It is obviously a deliberate choice,” said the administration official when unveiling the proposal in January. ISAOs “allow for a multiplicity of ways that the private sector would want to organize itself.”
Exactly how the NCCIC could work with these ISAOs, and what an ISAO might look like, is an anticipated part of the upcoming executive action.
The Feb. 13 announcement will come nearly two years to the day since Obama’s first major executive order on cybersecurity.
In early 2013, the White House dropped an expansive executive order that directed multiple government agencies to conduct a wide array of cybersecurity research. It also tasked the standards-setting agency, the National Institute of Standards and Technology (NIST), with creating a voluntary cybersecurity framework for companies and regulators.
Next week’s executive action is not expected to be nearly as far-reaching.