President Obama’s new executive order, “Promoting Private Sector Cybersecurity Information Sharing,” issued on February 13, attempts to address the lack of a central hub or of uniform standards for sharing information on cybersecurity threats and vulnerabilities. However, in order to produce actionable results, improvements to information sharing must increase the ability of Information Sharing and Analysis Organizations (ISAOs) to rapidly collect, analyze, and disseminate a large volume of usable information to all relevant stakeholders.
While there has been some debate over which agency should act as the central hub for information sharing, the executive order assigns that role to the Department of Homeland Security (DHS). Although it is both appropriate and understandable that oversight of civilian networks would fall to a civilian agency, the increased responsibility has not been matched by the necessary level of investment “to enable the department to take the lead and become a fully capable actor in this domain, eliminating the current bottleneck and bureaucratic inertia.”
Congress and the DHS will need to tackle this weakness if the department is to be an effective information-sharing hub. Barriers to information sharing still exist in the lack of uniform standards and guidelines.
Efforts to communicate threats in a timely and efficient manner are strained by the inability to consolidate processes, procedures, and technologies among participants. The proposed ISAO Standard Organization has been granted authority to identify a common set of standards “for the creation and functioning of ISAOs.” The creation of a nongovernmental organization to develop these standards is a positive choice that will “[limit] the fear of government control and [reduce] the profit-based monopolistic impulse.”
However, increasing standards without increasing liability and business protections is unlikely to notably increase participation—a problem that received relatively little attention.
Although the executive order’s improvements are modest, until Congress can reach a consensus on legislation concerning information sharing and liability protection, we must be content with the DHS’s freshly appointed power of encouragement for the “voluntary formation” of ISAOs. Congress should build on the President’s order and encourage information sharing by providing robust liability protection for those organizations that share cybersecurity information.
Rachel Zissimos is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.