Homeland Security to be put in charge of info "sharing"
Homeland Security to be put in charge of info sharing
By Elizabeth Weise and
Gregory Korte, USA TODAY 11:40 a.m. EST February 13, 2015
SAN FRANCISCO — President Obama will announce a new
executive order on the sharing of cybersecurity threats and information at
Friday's cybersecurity summit at Stanford University, the White House said.
Most importantly to Silicon Valley, the president's proposal
is expected to cement the role of the Department of Homeland Security, rather
than the National Security Agency, as the government lead for
information-sharing with the private sector.
"Hopefully the rules will prohibit the use of the
information shared being used for surveillance," said Greg Nojime, a
senior counsel with the Center for Democracy and Technology in Washington D.C.
Given the anger and anxiety that resulted from revelations
by Edward Snowden about the extent of NSA surveillance, knowing that Homeland
Security is in charge may calm concerns among Valley companies.
Many tech companies have dealt with extensive push back
from their customers both in the United States and overseas over the issue of
privacy and protection of the information they hold.
The intent of the executive order is to create a process
for establishing rules of the road on information sharing between the privacy
sector and the government, Nojime said.
This would be in the form of a hub-and-spoke system,
where companies would share information with the government, which would then
send it back out to other companies.
However, the president's order wouldn't provide
protection from liability for the companies doing the sharing.
That's why it doesn't happen now, said Avivah Litan, a
security analyst at the technology research company Gartner.
"There's no meaningful intelligence sharing because
of all the lawyers. There's always the threat of lawsuits," she said.
Litan knew someone who was aware that the malicious
software used in the Target breach had been seen by other companies "but
he wasn't allowed to share the information, because five lawyers were
threatening to sue him if he did," she said.
The only way to make information sharing possible is to
create legal safe harbors where companies can disclose what they know without
putting themselves at legal risk, she said.
That will require congressional action.
"Unilateral, top-down solutions will not solve
America's cyber problems," said Cory Fritz, a spokesman for House Speaker
John Boehner, R-Ohio. Instead of the executive order, he said, Obama should
support cybersecurity bills passed by the House in the last Congress.
Instead, Obama has put forward his own bill encouraging
the private sector to share cyberthreat information with the Department of
Homeland Security's National Cybersecurity and Communications Integration Center.
The center will then share it with relevant federal
agencies and private sector Information Sharing and Analysis Organizations
(ISAOs in Washington-speak.)
It also requires the Department of Homeland Security and
the Attorney General to develop guidelines for how the government gets, stores,
uses and discloses cyberthreat indicators.
Obama is scheduled to give the luncheon address at the
Whitehouse Cybersecurity Summit.
Gregory Korte reported from Washington.
Comments
Post a Comment