President Obama signed a sweeping new executive order Friday, making it easier for government agencies and private companies to share information with each other in case of a hack.
“American companies are being targeted,” he announced at the keynote speech at the White House’s cybersecurity summit at Stanford University.
“Only through government and industry working together, sharing information as true partners,” he said, was the country best equipped to fight cyberattacks. Examples of such attacks, he said, include both grander attacks on U.S. infrastructure and the recent hack on Sony Entertainment.
“It’s a direct threat to the economic security of American families,” he added.
But there’s a hitch.
The very idea of information-sharing—that a key point in stopping and mitigating major hacks is for the victim to be able to show the government what’s happening—is somewhat controversial. On the surface, the idea makes basic sense: The government doesn’t want private companies to be victimized by hacks, and, as the White House announced in a fact sheet released shortly before Obama’s signing, “it enables U.S. companies to work together to respond to threats, rather than operating alone.”
Information-sharing’s at the heart of a number of proposed government legislation in recent years, ranging from the Cyber Intelligence Sharing and Protection Act (CISPA), a Republican-led bill that’s passed the House twice, and iterations of the Democrat-favored Cybersecurity Act. Congress has yet to come to a consensus on such a bill, and there’s no sign that’s going to change soon.
But digital rights groups, fearful in the post-Edward Snowden age of any explicit legal authorization of the government to have easier access to private information, disagree.
“Data becomes more vulnerable, not more secure, as it flows across the Internet,” Drew Mitnick, Junior Policy Counsel at the digital rights advocacy group Access.org, told the Daily Dot.
“That’s why we need to pass comprehensive cybersecurity legislation—not an executive order—that would actually improve our digital security, incentive better digital hygiene, and respect our privacy. Such measures, and not more information sharing, are needed to address crippling data breaches.”
The Electronic Frontier Foundation has echoed that sentiment, declaring bluntly that “information sharing would not have stopped the Sony attack,” and pointing out that there are a number of underused information-sharing programs already in place.
The executive order stresses partnerships between private companies, too, termed “information sharing and analysis organizations,” or ISAOs, which could be any organization devoted to helping stop a given hack. It also would give, in emergency situations, private companies better access to classified information pertaining to certain attacks.
White House officials told Reuters that because of the limitations of executive orders, Obama’s wouldn’t limit the legal liability of companies that overshare their networks’ information, and that it wants to inspire Congress to do so.
Photo via The White House/Flickr (PD) | Remix by Jason Reed