Obama's new cybersecurity order will allow for expanded information sharing between private companies and the federal government—and many major companies are on board.
With or without controversial new legislation such as the Cybersecurity Information Sharing and Protection Act, President Obama is doing his best to make sure companies share the information they know about you with the federal government.
On Friday, the president issued a cybersecurity executive order that creates a new framework for "expanded information sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber threats," according to an emailed fact sheet from the White House.
The Sony hack of late last year made the idea of "cyberwar" all too real for many politicians, including Obama, who has spent much of the last two months talking about the need for expanded cooperation between the government and private companies. Considering all that rhetoric, Friday's move doesn't come as any real surprise.
So far, Apple, Intel, Bank of America, US Bank, Pacific Gas & Electric, AIG, QVC, Walgreens, and Kaiser Permanente have all signed up to use a new cybersecurity framework that could facilitate future information sharing (but doesn't appear to include that provision now), according to the White House.
But some groups are signing on for full information sharing, starting now. They include the Cyber Threat Alliance, which includes Palo Alto Networks, Symantec, Intel Security and Fortinet; the Entertainment Software Association, which represents Sony and Microsoft's video game divisions, as well as many more of the largest video game companies in the country; Crowdstrike, a security firm; Box, a cloud storage company; and FireEye, a cybersecurity firm.
The new executive order isn't CISPA, a cybersecurity bill that is generally focused on government-company information sharing that has been passed by the House of Representatives twice before but has died in the Senate because of severe privacy concerns. But it does create a convoluted system by which companies can share information with the federal government. The order allows for the creation of "information sharing and analysis organizations," which will be made up of one or more companies who will then work with a newly created National Cybersecurity and Communications Integration Center (announced earlier this week) to funnel information to the Department of Homeland Security.
Is this Obama going around Congress to create something that, thus far, hasn't had enough support to pass? Not exactly.
Obama doesn't have the power to give companies what's known as an "immunity clause" or a liability protection, which is one major sticking point on CISPA. That clause tells companies to remove all non pertinent identifying information from information they share with the government—but it also gives them legal immunity should they fail to do so, meaning they can screw up and not pay for it.
Obama's cybersecurity order has no such clause, which is why the White House said the order is "paving the way for future legislation."
The order also differs from CISPA in that information will be shared with the Department of Homeland Security, a civilian organization, rather than the NSA, a military organization. That's an important distinction that civil liberties experts have pushed for in trying to tone down CISPA in the past.
Though Obama's new framework has some big-name partners, there's a strong and powerful sector that seem to be less into the idea.
While Apple CEO Tim Cook will be attending an event in Palo Alto, California today where Obama will announce the project, Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer, and Google's Larry Page and Eric Schmidt all were invited to attend but declined, according to Bloomberg Business. They will instead send lower-level employees to the summit as an information-gathering endeavor. Bloomberg suggested that those three companies "are trying to assure their users or customers that their products are secure and that they don't willingly turn over data to the government."
It's not necessarily time to panic yet—full information sharing doesn't seem likely without Congressional action. But all sectors of the government appear to be focused on giving law enforcement and intelligence agencies more access to private information.