On February 13, 2015, President Obama spoke to attendees of the White House Summit on Cybersecurity and Consumer Protection held at Stanford University. Calling the digital world a "sort of Wild Wild West," Obama and many corporate representatives announced developments intended to strengthen cybersecurity. Obama also signed an Executive Order to encourage and promote information sharing between the private sector and the government. In addition, some of the nation's largest corporations announced their implementation of the Cybersecurity Framework developed in 2014 by the National Institute of Standards and Technology, a number of credit and financial institutions committed to increasing security in payment technology, and several companies announced that they will be focusing on multifactor authentication methods. Obama also revisited the legislative proposal sent to Congress last month following the State of the Union address.
Information Sharing
Information sharing has been a key concern of this
administration, as evidenced by the 2013 Executive Order on
Critical Infrastructure ("2013 Executive Order"), which
focused on increased sharing between the federal government and
critical infrastructure. Following his remarks at Stanford
University, Obama signed Executive Order 13587—Structural
Reforms to Improve the Security of Classified Networks and the
Responsible Sharing and Safeguarding of Classified Information
("Order"). The Order expands cyber threat and other
information sharing to the private sector generally. The Order
provides for a voluntary information-sharing framework in three
areas: (i) private sector collaboration, (ii) collaboration between
the private and the government sectors, and (iii) adherence to
privacy and civil liberty protections. To encourage private sector
collaboration, the Order encourages the development of information
sharing and analysis organizations ("ISAOs") and directs
the Department of Homeland Security ("DHS") to fund an
organization to develop a set of voluntary operating standards for
ISAOs.
The Order also streamlines the procedures for the National
Cybersecurity and Communications Integration Center to enter into
formal information-sharing agreements with private sector ISAOs.
For the first time, the Order adds the DHS to the list of federal
agencies that can approve classified cyber threat information
sharing arrangements. Finally, the Order calls for the development
of privacy standards among the voluntary standards to be developed
for ISAOs and requires federal agencies collaborating with ISAOs to
coordinate any information-sharing activities with their senior
agency officials to address privacy and civil liberties
concerns.
Cybersecurity Framework
The President's 2013 Executive Order directed the development of a Cybersecurity Framework ("Framework") by the National Institute of Standards and Technology. The Framework itself, released in early 2014, has been promoted by the government as an important voluntary tool for guiding an organization's decisions about cybersecurity. Various corporations have announced a commitment to using the Framework and intend to require their vendors to use it as well.1 It remains to be seen whether the Framework, if widely adopted, could lead some to maintain that it represents a reasonable standard of care. Nevertheless, where the Framework is imposed as a contractual obligation, failure to abide by it may expose some companies to breach of contract risks. Thus, careful consideration must be given to adopting the Framework.
Secure Payment Technologies
The President's BuySecure Initiative, introduced in October 2014 as part of the Executive Order—Improving the Security of Financial Transactions, is intended to increase protection of payment cards by requiring the use of Chip and Pin technologies by federal agencies. It also seeks to promote the adoption of Chip and Pin technologies by the private sector. A summary of this initiative is available in our Jones Day Alert, " California Attorney General Calls for Greater Data Protection, and Recommends Adoption of Chip and Pin Payment Card Technology." During the summit, a number of companies also announced various commitments they have made to advancing payment technology, including tokenization—the substitution of credit card numbers with randomly generated tokens during each transaction, adoption of Apple Pay for federal government transactions, and cybersecurity educational programs for small businesses. The administration also emphasized the number of companies that have committed to making credit scores available for free to customers as part of its efforts to provide resources for identifying identity theft.
Multifactor Authentication Methods
The Summit also included announcements by several technology companies and financial institutions regarding the development of multifactor authentication technologies, such as nonpassword-based authentication, new multifactor authentication based on biometrics, and support for an open standard for authenticating domain names by the end of 2015. Obama noted the government's investment in these new technologies through the National Strategy for Trusted Identities in Cyberspace.
Proposed Legislation
Obama also emphasized the legislative proposals he provided
to Congress in January 2015, stating that key cybersecurity
legislation is needed to support increased information sharing,
allow law enforcement authorities to combat cyber crime, and
standardize data breach reporting. In the absence of such
legislation, however, the initiatives announced during the summit
at Stanford, as well as the information sharing covered by the
Order, will be purely voluntary.
Private industry appears to prefer legislation that will clearly
address the mechanics, responsibilities, and, most importantly,
liability protection for firms that share such information. While
cyber threat information sharing is important to combating
cybercrime, firms need to carefully consider whether they should
agree to the imposition of "privacy protection standards"
in the absence of liability protections. Thus, while the
advancement of greater information sharing between the private and
public sectors may be a move in the right direction, it is not
likely to be universally well received by private industry,
particularly those companies and industries that remain concerned
with the increasing level of government access to their customer
information, and those with heightened liability issues such as
antitrust and sensitive information.
Footnote
1 Katie Zezima, "Obama signs executive order on sharing cybersecurity threat information," Washington Post (Feb. 13, 2015), available at: www.washingtonpost.com/blogs/post-politics/wp/2015/02/12/obama-to-sign-executive-order-on-cybersecurity-threats/?tid=ptv_rellink; Bill Chappell, "Obama: Cyberspace Is The New 'Wild West'," NPR, (Feb. 13, 2015), available at: www.npr.org/blogs/thetwo-way/2015/02/13/385960693/obama-to-urge-companies-to-share-data-on-cyber-threats
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.