Obama to encourage companies to share cyber threat data
February 12, 2015
Joseph Menn and Roberta Rampton
President Barack Obama is set to sign an executive order on Friday aimed at encouraging companies to share more information about cybersecurity threats with the government and each other, a response to attacks like that on Sony Entertainment.
The order sets the stage for new private-sector led "information sharing and analysis organizations" (ISAOs) - hubs where companies share cyber threat data with each other and with the Department of Homeland Security.
It is one step in a long effort to make companies as well as privacy and consumer advocates more comfortable with proposed legislation that would offer participating companies liability protection, the White House said.
"We believe that by clearly defining what makes for a good ISAO, that will make tying liability protection to sectoral organizations easier and more accessible to the public and to privacy and civil liberties advocates," said Michael Daniel, Obama's cyber coordinator, in a conference call with reporters.
Obama will sign the order at a day-long conference on cybersecurity at Stanford University in the heart of Silicon Valley.
The move comes as big Silicon Valley companies prove hesitant to fully support more mandated cybersecurity information sharing without reforms to government surveillance practices exposed by former National Security Agency contractor Edward Snowden.
Cybersecurity industry veterans said Obama's anticipated order would be only a modest step in one of the president's major priorities - the defense of companies from attacks like those on Sony and Anthem Inc.
Obama has proposed legislation to require more information-sharing and limit any legal liability for companies that share too much. Only Congress can provide the liability protection through legislation.
Businesses are unlikely to share a lot of timely and "actionable" cyber intelligence without liability relief, said Mike Brown, a vice president with the RSA security division of EMC Corp.
"Until that gets resolved, probably through legislation, I'm not sure how effective continued information-sharing will be," said Brown, a retired Naval officer and former cyber official with the Department of Homeland Security.
Senator Tom Carper, the top Democrat on the Senate Homeland Security committee, introduced a bill this week that incorporates much of Obama's plan. But Republicans control Congress, and they have yet to sign on to the idea.
"This is an urgent matter and we are working with anyone that we can up on the Hill to make that happen," said Daniel, who had not yet reviewed Carper's bill.
Getting a bill through Congress will require at least the support of big Silicon Valley companies such as Google Inc and Facebook Inc.
Those companies, however, have refused to give full support to cybersecurity bills without some reform of surveillance practices exposed by Snowden that have hurt U.S. technology companies' efforts to win business in other countries.
"Obviously there have been tensions," Daniel told reporters.
"But I think that's the kind of thing where the only way to get at that is to continue to have dialogue and to continue to engage, and the president has been committed to that," he said.
Google, Facebook and Yahoo are not sending their chief executives to the Stanford conference because of the rift, according to an executive at a major technology company. Apple Inc Chief Executive Tim Cook will give an address.
Obama also will meet privately with some executives on Friday. They are expected to press again for surveillance reform and support for strong encryption, which some in the administration have faulted recently on the grounds that it enables criminals and terrorists to hide their activity.