President Obama signed an executive order Friday directing the Department of Homeland Security to create new cybersecurity organizations that would make it easier for the federal government to get private sector data.
Formally announced by Obama at a White House Cybersecurity Summit at Stanford University in Palo Alto, California, the order directs the Department of Homeland Security to create a new entity in charge of making rules for how private sector companies share cybersecurity information with each other and the government.
The order also makes it easier for DHS's lead cybersecurity agency, the National Cybersecurity and Communications Integration Center, to share information, including classified information, with the new cybersecurity organizations, officially called Information Sharing and Analysis Organizations.
The private sector already supports a slew of similar Information Sharing and Analysis Centers, but the Obama administration does not like how the existing entities are organized and the White House wants to entice them to share more information with government.
Separately, the White House is also pushing legislation on Capitol Hill that would give companies sharing information with the federal government protection from lawsuits by consumers who believed their privacy has been violated. Obama hopes the Stanford summit will encourage action on that legislation.
But Silicon Valley CEOs are resisting Obama's policies. Facebook CEO Mark Zuckerberg, Yahoo's Marissa Mayer, and Google's Larry Page and Eric Schmidt were all invited to the summit but declined to attend.
Not only are these tech companies still wary of trusting the federal government in the wake of the Edward Snowden revelations, but they also object to the NSA's policy of withholding known cybersecurity flaws in private sector hardware and software. The NSA stockpiles these security bugs so they can exploit them for their own purposes in the future. Tech companies would prefer the NSA just alert them to the flaws as they are found so they can be fixed and better protect American consumers.
Obama also created another brand new government cybersecurity agency Tuesday called the Cyber Threat Intelligence Integration Center which will be housed in the Office of the Director of National Intelligence, not the DHS. This new agency will be charged with coordinating cybersecurity information between intelligence agencies and other government agencies like the FBI and DHS.
More than one cybersecurity expert has questioned whether or not another layer of bureaucracy is really what our nation's security needs.
“Right now, we have several government, private sector, and even corporate-sponsored sharing centers,” in addition to several state and federally funded efforts," Viewpost's Christopher Pierson told the Christian Science Monitor. “So one more agency might be better if it ties the data, provides bi-directional information sharing, and speed across all sectors. But it may also be another layer."
For several years we’ve been told that the Department of Homeland Security plays the lead role in coordinating the government’s cybersecurity efforts, and isn’t information sharing and integration pretty much what the NCCIC is supposed to be doing? That’s what it says on the tin, at any rate. What, exactly, is supposed to be the advantage of spinning up an entirely new agency from scratch to share that mission? Why would you house it in ODNI if your primary goal is to coax more information out of a wary and skeptical private sector? Is there even good evidence that inadequate information “integration” is significantly to blame for the poor state of American cybersecurity? Our intelligence agencies, to be sure, could be doing a better job of sharing threat information with the private sector—but their own notorious culture of secrecy seems to be the limiting factor there. Even the White House’s own former cybersecurity coordinator, Melissa Hathaway, told the Post that “creating more organizations and bureaucracy” was unlikely to do much good.&
Considering the cool reception from the private sector and cybersecurity experts, don't expect Obama's cybersecurity priorities to go anywhere on Capitol Hill anytime soon.