Cyber Security – The President’s Executive Order

Posted on by Gita Subramaniam

The increasing number of high profile cyber attacks, such as those on Sony, J.P. Morgan Chase, and retail breaches (e.g., Staples and Home Depot) have made cyber security a pressing national issue.1 Many of the security breaches have resulted in the loss of sensitive information, such as credit card information, social security numbers, and internal emails.2 The issue has become so prominent that President Obama accorded it space in his State of the Union address3 and has made several proposals for cyber security reform.4 On February 13th, 2015, President Obama issued an executive order to promote increased information sharing regarding threats to cyber security among American companies and the government.5

The executive order asks the Department of Homeland Security to develop new “information sharing and analysis organizations” and urges companies to become part of information-sharing hubs to gather and exchange information about online threats with other companies and in certain circumstances, to receive classified information from the government.6 It also calls for the creation of a common set of standards for sharing, protecting consumer privacy and liberties.7 President Obama has previously issued several executive orders related to cyber security for example, in 2013 that allows companies overseeing the country’s “critical infrastructure” (e.g., financial institutions and electric grids) to provide government contractors with “real time reports” about threats.8 Although the executive order has been praised as a step in the right direction,9 critics have pointed out several limits to his information-sharing proposals.

First, participation by private companies is voluntary,10 which reduces the incentive to adopt and follow the structure. As a result of the revelations by Edward J. Snowden that consumer information was being handed over to the government, companies, particularly those who are competitive internationally, worry about the impression that information sharing would create among their customers.11 They are trying to strengthen their encryption systems, which will be detrimental to intelligence gathering and information sharing by the U.S. government.12 Companies have pointed out that they already share information about security threats with others in their industry.13

Second, if companies do share information, the order does not protect companies from liability if collecting and sharing customer or other private data results in legal action.14 Many companies are reluctant to share data without such a law in place15

Finally, the executive orders do not cover a highly important aspect of strengthening cybersecurity—setting minimum standards for security—which must be done by legislation.16 In 2012, administration officials attempted to get Congress to pass legislation giving the Department of Homeland Security power to enforce minimum standards for security, but Senate Republicans argued that the minimum standards were too burdensome for businesses.17 Eventually, the bill was blocked by a filibuster.18

Despite the limits of the executive order, information sharing remains an important aspect of cyber security. Platforms such as cloud services, payment systems, and mobile phone technology have a widened the variety of opportunities for hackers to carry out cyber attacks.19 An assistant director of the FBI’s cyberdivision points out in a New York Times article that U.S. companies are up against hackers with a very high level of technical skill.20 Thus, he states, information-sharing is critical to tracing the attacks back to the hackers.21

The same week saw other developments related to cyber security. The President has introduced a bill to Congress to increase sharing of cyber threat data which provides liability protection to companies sharing cyber threat data in certain circumstances.22 Additionally, the White House announced that it was creating the Cyber Threat Intelligence Integration Center to play a leading role in monitoring cyber threats, which is currently spread among various agencies.23 The agency will gather and analyze intelligence from various agencies and decide whether it can be shared with such parties as companies.24 It will be interesting to see how the cybersecurity regulatory framework develops in 2015.25

  1. See David E. Sanger, Obama Administration Plans to Open Center to Fight Cyberattacks, N.Y. Times (Feb. 11, 2015), http://www.nytimes.com/2015/02/11/us/politics/obama-administration-plans-to-open-center-to-fight-cyberattacks.html?ref=topics&_r=0; see also Charles McLellan, Cybersecurity in 2015: What to Expect, ZDNet (Feb. 2, 2015), http://www.zdnet.com/article/cybersecurity-in-2015-what-to-expect/. 

  2. See McLellan, supra note 1. 

  3. Kate Vinton, Obama Signs Executive Action, Calls for Collaboration to Fight Cyber Attacks at Stanford Summit, Forbes (Feb. 13, 2015, 8:21 PM), http://www.forbes.com/sites/katevinton/2015/02/13/obama-signs-executive-action-calls-for-collaboration-to-fight-cyber-attacks-at-stanford-summit/. 

  4. Press Release, Office of the Press Sec’y, The White House, Securing Cyberspace – President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts (Jan. 13, 2015), available at http://www.whitehouse.gov/the-press-office/2015/01/13/securing-cyberspace-president-obama-announces-new-cybersecurity-legislat. 

  5. Nicole Perlroth & David E. Sanger, Obama Calls for New Cooperation to Wrangle the ‘Wild West’ Internet, N.Y. Times (Feb. 13, 2015), http://www.nytimes.com/2015/02/14/business/obama-urges-tech-companies-to-cooperate-on-internet-security.html?ref=topics. 

  6. See id.; see also Sarah Buhr & Alex Wilhelm, Obama Signs Executive Order Encouraging Private-Sector Companies to Share Cyber Security Information, TechCrunch (Feb. 13, 2015), http://techcrunch.com/2015/02/13/obama-cyber-security/#tmhmdj:zwR. 

  7. Shaun Waterman, Obama Signs Executive Order on Sharing Cyberthreat Info, Politico (Feb. 13, 2015, 3:21 PM), http://www.politico.com/story/2015/02/obama-cyberthreat-executive-order-115187.html. 

  8. Michael S. Schmidt & Nicole Perlroth, Obama Order Gives Firms Cyberthreat Information, N.Y. Times (Feb. 12, 2013), http://www.nytimes.com/2013/02/13/us/executive-order-on-cybersecurity-is-issued.html. 

  9. Katie Zezima, Obama Signs Executive Order on Sharing Cybersecurity Threat Information, Wash. Post (Feb. 12, 2015), http://www.washingtonpost.com/blogs/post-politics/wp/2015/02/12/obama-to-sign-executive-order-on-cybersecurity-threats/. 

  10. Rachael King, Obama Signs Info Sharing Executive Order, but Concerns Remain, Wall St. J. (Feb. 13, 2015, 7:07 PM), http://blogs.wsj.com/cio/2015/02/13/obama-signs-info-sharing-executive-order-but-concerns-remain/. 

  11. Buhr & Wilhelm, supra note 6. 

  12. Id. 

  13. Perlroth & Sanger, supra note 5. 

  14. Id. 

  15. Id.)) The President’s executive powers do not allow him to address this issue. Only Congress can address it with legislation, which has failed to get through Congress for three years. ((Id. 

  16. Schmidt, supra note 8. 

  17. Id. 

  18. Id. 

  19. See McLellan, supra note 1. 

  20. Perlroth & Sanger, supra note 5. 

  21. Id. 

  22. Vinton, supra note 3. 

  23. Damien Paletta & Danny Yadron, White House to Create New Division to Streamline Cyberthreat Intelligence, Wall St. J. (Feb. 10, 2015, 8:25 PM), http://www.wsj.com/articles/white-house-to-create-new-division-to-streamline-cyberthreat-intelligence-1423572846. 

  24. Id. 

  25. Id. 

Category: Blog Articles