Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
President Barack Obama’s Feb. 12, 2015, executive order promoting cyber threat-sharing within the private sector and between private enterprises and government agencies expands the president’s cybersecurity framework beyond critical infrastructure companies.
Obama’s announcement follows several high-profile cyberattacks, including the Feb. 4, 2015, data breach at health insurance provider Anthem Inc.
Cyber threat information-sharing has been highlighted by lawmakers and tech trade groups as a key component of risk management in any potential cybersecurity legislation for years, as long as that legislation would protect businesses from liability, antitrust and public disclosure lawsuits.
But privacy groups have objected to proposals such as the Cyber Intelligence Sharing and Protection Act (CISPA), charging that too much individual personal information would be shared with government.
The president’s executive order calls for the development of information-sharing and analysis organizations made up of “communities that share information across a region or in response to a specific emerging cyber threat.” These organizations will then enter into information-sharing agreements with the newly created National Cybersecurity and Communications Integration Center, so long as they meet certain security requirements.
The executive order also directs the Department of Homeland Security to develop a common set of voluntary standards for information-sharing organizations and streamline companies’ ability to access classified cybersecurity threat information.
“This has to be a shared mission,” Obama said. “So much of our computer networks and critical infrastructure are in the private sector, which means that government cannot do this alone. But the fact is the private sector can’t do it alone, either, because it is government that often has the latest information on new threats. There is only one way to defend Americans from these cyberattacks—that is through government and industry working together, sharing appropriate information as true partners.”
Privacy Concerns Doomed Past Efforts
Recent cyber threat information-sharing bills introduced in Congress—2014’s Cybersecurity Information Sharing Act and 2013’s CISPA—failed to pass due to privacy concerns about how much customer information would be shared with government agencies.
Obama’s information-sharing proposal is similar to CISPA—which was reintroduced January 2015 in the House—but the president opposed the previous version of that bill, saying it didn’t have enough privacy protections.
A critical difference this time around may be the push from the White House, including a proviso offering companies immunity from lawsuits when they share information about cyberattacks if they take reasonable steps to remove personally identifiable information. Administration officials will develop guidelines for the use and retention of the shared data, according to the executive order.
Tech industry representatives told lawmakers at a recent Senate Homeland Security and Governmental Affairs Committee hearing that a cyber threat information-sharing bill could pass if it required companies and government agencies to strip out personally identifiable information before sharing the information with other organizations.
Industry Response Positive, Still Cautious
Critical industries and stakeholders voiced support for the president’s proposal, but are anxious to see how it will work. The “verdict is out” on whether it will achieve the objective of getting companies to share information with one another, said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, a nonprofit association dedicated to protecting financial services firms from physical and cyberattacks.
The Telecommunications Industry Association (TIA), representing manufacturers and suppliers of communications networks, cautiously praised the proposal, saying parts of it needed further analysis. “We are strongly in favor of cybersecurity legislation that will give businesses more access to government information on threats, open channels for greater information-sharing between companies, and enhance private-sector liability protection,” TIA CEO Scott Belcher said in a statement.
The National Retail Federation commended the president for the threat-sharing proposal. “The executive order is very much in line with what we are already doing to identify, classify and disseminate intelligence on actual and potential cyber threats to more than 150 of the best-known retail brands and companies, large and small,” said Federation President and CEO Matthew Shay. “It is an acknowledgement that industries need more flexible and nimble information-sharing platforms to combat cyber threats in the future,” he said.
Shay stressed that information-sharing is just one part of a needed comprehensive cybersecurity approach, which should also include PIN and chip credit cards and adoption of point-to-point data encryption.
The foundation of effective cybersecurity information-sharing rests on three principles, according to wireless communications association CTIA:
“Currently, private-sector companies cannot share information with a government agency or organization without researching to ensure that whatever data is being shared is not protected, sensitive or classified, and assuming the risk of the information being made publicly available as a result of a FOIA [Freedom of Information Act] request,” according to the CTIA.
Communications industry groups, including CTIA, the National Cable & Telecommunications Association, and U.S. Telecom Association, recommend that any cybersecurity legislation affirmatively address those three principles of protection for companies and incorporate legislative language that:
Roy Maurer is an online editor/manager for SHRM.
Follow him @SHRMRoy
SHRM OnlineSafety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies