Obama pushes for more cyberthreat information sharing

13.02.2015
U.S. businesses and government agencies need to work more closely together to combat the growing threat of cyberattacks, President Barack Obama said Friday.

Calling on U.S. agencies and businesses to share more cyberthreat information, Obama said he had signed an executive order intended to encourage more cooperation.

Protecting against cyberattacks "has to be a shared mission," Obama said during a speech at Stanford University. "Government cannot do this alone, but the fact is, the private sector cannot do this alone either."

Government agencies can help the private sector by coordinating efforts during cyberattacks and responding to them, but many private companies have "cutting-edge" tools to protect themselves, Obama noted.

"It's not appropriate, or even possible, for government to secure the computer networks of private businesses," he added. "We're going to have to be smart and efficient and focus on what each sector does best, and then do it together."

Obama's executive order encourages companies to form information-sharing and analysis organizations, through which they can share cyberthreat information. It also directs the Department of Homeland Security to fund the creation of a nonprofit organization that will develop a common set of voluntary standards, including privacy protections, for these information-sharing cooperatives.

The order also streamlines the process for the DHS National Cybersecurity and Communications Integration Center [NCCIC] to enter into agreements with the information-sharing cooperatives.

It's difficult for government to find the right balance between protecting privacy and fighting cyberattacks, Obama said. "It constantly evolves, because the technology so often outstrips whatever rules and structures and standards have been put in place," he said.

Obama also called on Congress to pass legislation that would protect businesses from customer lawsuits when they share cyberthreat information with each other and with government agencies.

Some U.S. lawmakers and tech trade groups have pushed Congress for years to pass legislation that would protect businesses that share this data from customer lawsuits. But privacy groups have objected to past bills like the Cyber Intelligence Sharing and Protection Act [CISPA], saying it would allow businesses to share too much personal information with the government.

Several other participants at the White House's Silicon Valley Cybersecurity Summit also stressed the need for government agencies and private businesses to better share cyberthreat information with each other.

Private companies and the U.S. government need a closer relationship on cybersecurity, said Lisa Monaco, assistant to Obama for homeland security and counterterrorism. "The private sector cannot and should not rely on the government to solve all of its cyberproblems," she said. "But at the same time -- and make no mistake about this -- the federal government will not leave the private sector to fend for itself."

Some participants in the summit said the government has needed to take more steps toward information sharing. The government needs to do a better job of quickly sharing cyberattack information, said Kenneth Chenault, CEO of American Express. A tiny percentage of the threat indicators American Express examines every year comes from government information, he said.

"The government needs to aggressively share with the private sector, in an appropriate manner, the indicators of attack," Chenault said.

In order for information sharing to work, companies need protections from lawsuits, he added.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Grant Gross