By Joseph Beyda
President Barack Obama called for increased information sharing about cyber threats in the executive order he signed onstage at Memorial Auditorium on Friday.
The order, which Obama discussed in a roundtable with business leaders shortly after his keynote address, intends to facilitate collaboration between private sector companies and between those companies and the government.
According to MasterCard CEO Ajay Banga, a participant in the roundtable, the order addresses a “patchwork of issues” that dis-incentivize businesses from self-declaring cybersecurity breaches.
He told reporters that currently, companies risk legal or regulatory action after they have informed the public of such an attack. They are also subject to Freedom of Information Act requests and may have to provide raw information lost during a breach — including customers’ personal data — to law enforcement agencies.
The executive order encourages the creation of standardized Information Sharing and Analysis Organizations (ISAOs), a potential step toward legislation to protect businesses who voluntarily share information.
According to Banga, the flow of information goes in both directions. Banga noted that the government currently cannot inform businesses if they are under attack because it would give the company a competitive advantage. He said that Obama’s executive order — which gives companies access to classified threat information — may change that policy.
“The president doesn’t view this as a one-off,” Banga said. “He is very deeply aware of the issues.”
White House Cybersecurity Coordinator Michael Daniel told reporters that the executive order promotes the sharing of data that is very technical in nature, such as malware indicators and bad IP addresses.
“I think what you’re seeing is a realization across a growing swath of American companies that the only way to address this problem is in partnership with each other and with the government,” Daniel said.
Last spring, the Department of Justice and Federal Trade Commission issued guidance that sharing cyber threat information was not a basis for antitrust concerns. However, Daniel said that some companies want liability protection as well, which is built into Obama’s legislative proposal.
Banga called for a legislative solution.
“An executive action can only take you this far,” he said.
Contact Joseph Beyda at jbeyda ‘at’ stanford.edu.