833-847-3280
Schedule a Call

The President’s Executive Order on Information Sharing… An Unnecessary Act

As I read the President’s Executive order last week, I was amazed at how government officials can spend so much time preparing the public for a grand political statement that will benefit all Americans and then, when so much is expected, so little is gained.

As the CEO of a cyber security company, I was, on one hand, excited to see the government paying attention to the industry during the SOTU address, but on the other hand was left dismayed at the proposition put forth as everything mentioned was pretty much already in existence. Then, with the Cyber Security Summit taking place, I was hoping once again that some steps would be taken to demonstrate that the government would take the first steps in the path on developing a public/private relationship.

And once again, I was let down. Instead of a path ahead, or at least a vision, we got another executive order. Like all executive orders, this one does little to provide a unique path, mandate or a structure to achieve the end state, which is the voluntary cooperation and sharing of cyber threat data. This unilateral move, at a time when Congress is willing to address this issue and has several variations of cyber legislation ready to pass, only confuses the cyber security industry and accomplishes little. This executive order, like so many other pieces of proposed legislation, provides an honorable intent, but the execution deserves a lot more.

Lets look at the Executive Order piece by piece:

Section 1: The introduction of this order outlines the president’s vision: to get companies to share data. However, beyond that there is no meat. In order to get companies to cooperate they must see that there is a vision and that vision is completely thought out in terms of organizational responsibility, command and control, and concerns that companies have regarding liability and disclosure.

Section 2: The major concept outlined here is that the Secretary of Homeland Security creates Information Sharing and Analysis Organizations. This is a great concept, except for one thing: they already exist. As I stated in another blog, there are at least 15 Information Sharing and Analysis Centers (ISACs) that are organized along business sector lines: Financial, Maritime, Health Care etc. and have an industry mandate to share information within the sector and keep industries aware of new threat information (http://www.isaccouncil.org). If these entities exist, why doesn’t the executive order just state for DHS to utilize this system, instead of replicating this. At least with the ISACs, the current issue of trust is taken care of as they are a non-profit, industry supported system.

Section 3: Third, there is a very vague discussion of the establishment of a competitive process to establish an ISAO Standards Organization whose mission is to develop the business processes, contracts and all standards for an ISAO to be an approved entity to share information. If this effort is to attract the voluntary cooperation of US Companies to share cyber threat data, then the complexity outlined here is unnecessary. These are supposed to be volunteer, non-profit organizations. If that is so, minimal standards are necessary if the true intent is cooperation and trust.

Section 4: This section concerns the assignment of the mandate for the National Cyber Security and Communications Integrations Center (NCCIC), a subcomponent of DHS, to organize and work with the ISAOs. Currently the existing ISAC network already works with the NCCIC, so that structure is in place and not worthy of an executive order.

Section 5: Privacy and Civil Liberties Protection: In what should have been the most in depth portion of this order, we find….nothing. Vague words promising that only organizations engaged under this order (which means that other agencies with a cyber-security mandate are not affected) must do their best to identify how their organization’s work under this order would affect privacy and civil liberty and to ensure that “appropriate protections” are applied. Without a definition of “appropriate protections, nor of ensuring that these protections would apply to other agencies that would have access to the information that would need to be shared, this section only refers to the most critical issue outlined by business and does nothing to define what needs to take place.

Section 6: This section seems to refer to the modification of the National Industrial Security Program, or NISPOM. This program is managed by the Department of Energy and is basically the bible for companies to follow to maintain compliance with Government security programs and to retain the ability to access classified data. It seems that there is a lot of word-smithing here that could be misconstrued as attempts to get companies under the thumb of the intelligence community, but at its heart, its an attempt to get the system to be more receptive for companies that don’t have classified requirements to obtain that access. However, again, if DHS would work with the ISACs and just qualify them to obtain access, then we wouldn’t have to look at thousands of companies (at taxpayer expense) to spend time and resources to get access to government information.

In the end, the administration has gone on its own path to do absolutely nothing. Instead of coopting Congress, who is ready to move onto legislation (which I oppose) or to create a system that fosters trust through anonymity and non-attribution between the private and public sector, the President has independently proposed a system that replicates one that is already in place and in the end, provides absolutely no forward progress in addressing this critical issue.

Latest Posts

A transparent image used for creating empty spaces in columns
As technology evolves at an unprecedented pace, artificial intelligence (AI) has emerged as a transformative force in cybersecurity. Organizations now use AI to detect and respond to threats faster than ever, but this progress raises an important question: is the human factor still relevant in…
A transparent image used for creating empty spaces in columns
In the complex world of cybersecurity, simple strategies can often make a big difference. One of the most powerful ideas in protecting your organization from cyber threats is as straightforward as it sounds: don’t leave the front door open. Picture this: your company’s network is…
A transparent image used for creating empty spaces in columns
With the rise in cyber threats, data breaches, and evolving regulations, cybersecurity risk management has never been more crucial for businesses. Today, companies are more connected than ever, and every device, user, and application potentially opens a new path for cybercriminals to exploit. From ransomware…
A transparent image used for creating empty spaces in columns
 In today’s increasingly digital world, more businesses are operating entirely online with remote teams and cloud-based infrastructures. As these companies grow, so does the importance of cybersecurity. One question we often get is: “Can online companies get penetration tests?” The answer is a resounding…
A transparent image used for creating empty spaces in columns
In today’s education landscape, cybersecurity is more critical than ever. Schools are no longer just places of learning; they have evolved into hubs of digital information, housing vast amounts of sensitive data. From student records to financial information, the risk of cyberattacks has become a…
A transparent image used for creating empty spaces in columns
 In today’s digital landscape, cybersecurity is not just a luxury but a necessity. As businesses increasingly rely on technology, the importance of safeguarding sensitive data has never been greater. However, for many small and medium-sized businesses (SMBs), the costs associated with cybersecurity services, particularly…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services