The increasing number of high profile cyber attacks, such as those on Sony, J.P. Morgan Chase, and retail breaches (e.g., Staples and Home Depot) have made cyber security a pressing national issue. ((See David E. Sanger, Obama Administration Plans to Open Center to Fight Cyberattacks, N.Y. Times (Feb. 11, 2015), http://www.nytimes.com/2015/02/11/us/politics/obama-administration-plans-to-open-center-to-fight-cyberattacks.html?ref=topics&_r=0; see also Charles McLellan, Cybersecurity in 2015: What to Expect, ZDNet (Feb. 2, 2015), http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/.)) Many of the security breaches have resulted in the loss of sensitive information, such as credit card information, social security numbers, and internal emails. ((See McLellan, supra note 1.)) The issue has become so prominent that President Obama accorded it space in his State of the Union address ((Kate Vinton, Obama Signs Executive Action, Calls for Collaboration to Fight Cyber Attacks at Stanford Summit, Forbes (Feb. 13, 2015, 8:21 PM), http://www.forbes.com/sites/katevinton/2015/02/13/obama-signs-executive-action-calls-for-collaboration-to-fight-cyber-attacks-at-stanford-summit/.)) and has made several proposals for cyber security reform. ((Press Release, Office of the Press Sec’y, The White House, Securing Cyberspace – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts (Jan. 13, 2015), available at http://www.whitehouse.gov/the-press-office/2015/01/13/securing-cyberspace-president-obama-announces-new-cybersecurity-legislat.)) On February 13th, 2015, President Obama issued an executive order to promote increased information sharing regarding threats to cyber security among American companies and the government. ((Nicole Perlroth & David E. Sanger, Obama Calls for New Cooperation to Wrangle the ‘Wild West’ Internet, N.Y. Times (Feb. 13, 2015), http://www.nytimes.com/2015/02/14/business/obama-urges-tech-companies-to-cooperate-on-internet-security.html?ref=topics.))
The executive order asks the Department of Homeland Security to develop new “information sharing and analysis organizations” and urges companies to become part of information-sharing hubs to gather and exchange information about online threats with other companies and in certain circumstances, to receive classified information from the government. ((See id.; see also Sarah Buhr & Alex Wilhelm, Obama Signs Executive Order Encouraging Private-Sector Companies to Share Cyber Security Information, TechCrunch (Feb. 13, 2015), http://techcrunch.com/2015/02/13/obama-cyber-security/#tmhmdj:zwR.)) It also calls for the creation of a common set of standards for sharing, protecting consumer privacy and liberties. ((Shaun Waterman, Obama Signs Executive Order on Sharing Cyberthreat Info, Politico (Feb. 13, 2015, 3:21 PM), http://www.politico.com/story/2015/02/obama-cyberthreat-executive-order-115187.html.)) President Obama has previously issued several executive orders related to cyber security for example, in 2013 that allows companies overseeing the country’s “critical infrastructure” (e.g., financial institutions and electric grids) to provide government contractors with “real time reports” about threats. ((Michael S. Schmidt & Nicole Perlroth, Obama Order Gives Firms Cyberthreat Information, N.Y. Times (Feb. 12, 2013), http://www.nytimes.com/2013/02/13/us/executive-order-on-cybersecurity-is-issued.html.)) Although the executive order has been praised as a step in the right direction, ((Katie Zezima, Obama Signs Executive Order on Sharing Cybersecurity Threat Information, Wash. Post (Feb. 12, 2015), http://www.washingtonpost.com/blogs/post-politics/wp/2015/02/12/obama-to-sign-executive-order-on-cybersecurity-threats/.)) critics have pointed out several limits to his information-sharing proposals.
First, participation by private companies is voluntary, ((Rachael King, Obama Signs Info Sharing Executive Order, but Concerns Remain, Wall St. J. (Feb. 13, 2015, 7:07 PM), http://blogs.wsj.com/cio/2015/02/13/obama-signs-info-sharing-executive-order-but-concerns-remain/.)) which reduces the incentive to adopt and follow the structure. As a result of the revelations by Edward J. Snowden that consumer information was being handed over to the government, companies, particularly those who are competitive internationally, worry about the impression that information sharing would create among their customers. ((Buhr & Wilhelm, supra note 6.)) They are trying to strengthen their encryption systems, which will be detrimental to intelligence gathering and information sharing by the U.S. government. ((Id.)) Companies have pointed out that they already share information about security threats with others in their industry. ((Perlroth & Sanger, supra note 5.))
Second, if companies do share information, the order does not protect companies from liability if collecting and sharing customer or other private data results in legal action. ((Id.)) Many companies are reluctant to share data without such a law in place ((Id.)) The President’s executive powers do not allow him to address this issue. Only Congress can address it with legislation, which has failed to get through Congress for three years. ((Id.))
Finally, the executive orders do not cover a highly important aspect of strengthening cybersecurity—setting minimum standards for security—which must be done by legislation. ((Schmidt, supra note 8.)) In 2012, administration officials attempted to get Congress to pass legislation giving the Department of Homeland Security power to enforce minimum standards for security, but Senate Republicans argued that the minimum standards were too burdensome for businesses. ((Id.)) Eventually, the bill was blocked by a filibuster. ((Id.))
Despite the limits of the executive order, information sharing remains an important aspect of cyber security. Platforms such as cloud services, payment systems, and mobile phone technology have a widened the variety of opportunities for hackers to carry out cyber attacks. ((See McLellan, supra note 1.)) An assistant director of the FBI’s cyberdivision points out in a New York Times article that U.S. companies are up against hackers with a very high level of technical skill. ((Perlroth & Sanger, supra note 5.)) Thus, he states, information-sharing is critical to tracing the attacks back to the hackers. ((Id.))
The same week saw other developments related to cyber security. The President has introduced a bill to Congress to increase sharing of cyber threat data which provides liability protection to companies sharing cyber threat data in certain circumstances. ((Vinton, supra note 3.)) Additionally, the White House announced that it was creating the Cyber Threat Intelligence Integration Center to play a leading role in monitoring cyber threats, which is currently spread among various agencies. ((Damien Paletta & Danny Yadron, White House to Create New Division to Streamline Cyberthreat Intelligence, Wall St. J. (Feb. 10, 2015, 8:25 PM), http://www.wsj.com/articles/white-house-to-create-new-division-to-streamline-cyberthreat-intelligence-1423572846.)) The agency will gather and analyze intelligence from various agencies and decide whether it can be shared with such parties as companies. ((Id.)) It will be interesting to see how the cybersecurity regulatory framework develops in 2015. ((Id.))