Homeland Security to be put in charge of info "sharing"
Homeland Security to be put in charge of info sharing
By Elizabeth Weise and Gregory Korte, USA TODAY 11:40 a.m. EST February 13, 2015
SAN FRANCISCO — President Obama will announce a new executive order on the sharing of cybersecurity threats and information at Friday's cybersecurity summit at Stanford University, the White House said.
Most importantly to Silicon Valley, the president's proposal is expected to cement the role of the Department of Homeland Security, rather than the National Security Agency, as the government lead for information-sharing with the private sector.
"Hopefully the rules will prohibit the use of the information shared being used for surveillance," said Greg Nojime, a senior counsel with the Center for Democracy and Technology in Washington D.C.
Given the anger and anxiety that resulted from revelations by Edward Snowden about the extent of NSA surveillance, knowing that Homeland Security is in charge may calm concerns among Valley companies.
Many tech companies have dealt with extensive push back from their customers both in the United States and overseas over the issue of privacy and protection of the information they hold.
The intent of the executive order is to create a process for establishing rules of the road on information sharing between the privacy sector and the government, Nojime said.
This would be in the form of a hub-and-spoke system, where companies would share information with the government, which would then send it back out to other companies.
However, the president's order wouldn't provide protection from liability for the companies doing the sharing.
That's why it doesn't happen now, said Avivah Litan, a security analyst at the technology research company Gartner.
"There's no meaningful intelligence sharing because of all the lawyers. There's always the threat of lawsuits," she said.
Litan knew someone who was aware that the malicious software used in the Target breach had been seen by other companies "but he wasn't allowed to share the information, because five lawyers were threatening to sue him if he did," she said.
The only way to make information sharing possible is to create legal safe harbors where companies can disclose what they know without putting themselves at legal risk, she said.
That will require congressional action.
"Unilateral, top-down solutions will not solve America's cyber problems," said Cory Fritz, a spokesman for House Speaker John Boehner, R-Ohio. Instead of the executive order, he said, Obama should support cybersecurity bills passed by the House in the last Congress.
Instead, Obama has put forward his own bill encouraging the private sector to share cyberthreat information with the Department of Homeland Security's National Cybersecurity and Communications Integration Center.
The center will then share it with relevant federal agencies and private sector Information Sharing and Analysis Organizations (ISAOs in Washington-speak.)
It also requires the Department of Homeland Security and the Attorney General to develop guidelines for how the government gets, stores, uses and discloses cyberthreat indicators.
Obama is scheduled to give the luncheon address at the Whitehouse Cybersecurity Summit.
Gregory Korte reported from Washington.