Obama Promotes Cyber Threat-Sharing Employers seek information-sharing liability protections

By Roy Maurer Feb 19, 2015

President Barack Obama’s Feb. 12, 2015, executive order promoting cyber threat-sharing within the private sector and between private enterprises and government agencies expands the president’s cybersecurity framework beyond critical infrastructure companies.

Obama’s announcement follows several high-profile cyberattacks, including the Feb. 4, 2015, data breach at health insurance provider Anthem Inc.

Cyber threat information-sharing has been highlighted by lawmakers and tech trade groups as a key component of risk management in any potential cybersecurity legislation for years, as long as that legislation would protect businesses from liability, antitrust and public disclosure lawsuits.

But privacy groups have objected to proposals such as the Cyber Intelligence Sharing and Protection Act (CISPA), charging that too much individual personal information would be shared with government.

The president’s executive order calls for the development of information-sharing and analysis organizations made up of “communities that share information across a region or in response to a specific emerging cyber threat.” These organizations will then enter into information-sharing agreements with the newly created National Cybersecurity and Communications Integration Center, so long as they meet certain security requirements.

The executive order also directs the Department of Homeland Security to develop a common set of voluntary standards for information-sharing organizations and streamline companies’ ability to access classified cybersecurity threat information.

“This has to be a shared mission,” Obama said. “So much of our computer networks and critical infrastructure are in the private sector, which means that government cannot do this alone. But the fact is the private sector can’t do it alone, either, because it is government that often has the latest information on new threats. There is only one way to defend Americans from these cyberattacks—that is through government and industry working together, sharing appropriate information as true partners.”

Privacy Concerns Doomed Past Efforts

Recent cyber threat information-sharing bills introduced in Congress—2014’s Cybersecurity Information Sharing Act and 2013’s CISPA—failed to pass due to privacy concerns about how much customer information would be shared with government agencies.

Obama’s information-sharing proposal is similar to CISPA—which was reintroduced January 2015 in the House—but the president opposed the previous version of that bill, saying it didn’t have enough privacy protections.

A critical difference this time around may be the push from the White House, including a proviso offering companies immunity from lawsuits when they share information about cyberattacks if they take reasonable steps to remove personally identifiable information. Administration officials will develop guidelines for the use and retention of the shared data, according to the executive order.

Tech industry representatives told lawmakers at a recent Senate Homeland Security and Governmental Affairs Committee hearing that a cyber threat information-sharing bill could pass if it required companies and government agencies to strip out personally identifiable information before sharing the information with other organizations.

Industry Response Positive, Still Cautious

Critical industries and stakeholders voiced support for the president’s proposal, but are anxious to see how it will work. The “verdict is out” on whether it will achieve the objective of getting companies to share information with one another, said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, a nonprofit association dedicated to protecting financial services firms from physical and cyberattacks.

The Telecommunications Industry Association (TIA), representing manufacturers and suppliers of communications networks, cautiously praised the proposal, saying parts of it needed further analysis. “We are strongly in favor of cybersecurity legislation that will give businesses more access to government information on threats, open channels for greater information-sharing between companies, and enhance private-sector liability protection,” TIA CEO Scott Belcher said in a statement.

The National Retail Federation commended the president for the threat-sharing proposal. “The executive order is very much in line with what we are already doing to identify, classify and disseminate intelligence on actual and potential cyber threats to more than 150 of the best-known retail brands and companies, large and small,” said Federation President and CEO Matthew Shay. “It is an acknowledgement that industries need more flexible and nimble information-sharing platforms to combat cyber threats in the future,” he said.

Shay stressed that information-sharing is just one part of a needed comprehensive cybersecurity approach, which should also include PIN and chip credit cards and adoption of point-to-point data encryption.

The foundation of effective cybersecurity information-sharing rests on three principles, according to wireless communications association CTIA:

  • Liability protection with respect to private-to-private and private-to-government sharing.
  • Antitrust exemption with respect to private-to-private sharing.
  • Protection against public disclosure with respect to private-to-government sharing.

“Currently, private-sector companies cannot share information with a government agency or organization without researching to ensure that whatever data is being shared is not protected, sensitive or classified, and assuming the risk of the information being made publicly available as a result of a FOIA [Freedom of Information Act] request,” according to the CTIA.

Communications industry groups, including CTIA, the National Cable & Telecommunications Association, and U.S. Telecom Association, recommend that any cybersecurity legislation affirmatively address those three principles of protection for companies and incorporate legislative language that:

  • Permits and protects information-sharing for defined cybersecurity purposes only.
  • Makes clear that authorized cybersecurity countermeasures can only be employed on a private entity’s network or customer network with written customer authorization.
  • Provides protection for companies taking reasonable steps to prevent disclosing to the U.S. government information that is not necessary to respond to a cyber threat.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM OnlineSafety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect