CybersecurityObama’s cybersecurity initiative: a start but businesses – and individuals – need to do more

By Frank J Cilluffo and Sharon L Cardash

Published 26 February 2015

The linchpin of President Obama’s recently launched cybersecurity initiative is to encourage the private sector to share information to better defend against cyberattacks. Yet U.S. companies have historically been wary of openly talking about their cybersecurity efforts with competitors and with government — for good reason. Many businesses fear that sharing threat-related information could expose them to liability and litigation, undermine shareholder or consumer confidence, or introduce the potential for leaks of proprietary information. For some companies, Edward Snowden’s revelations of sweeping government surveillance programs have reinforced the impulse to hold corporate cards close to the vest. Yet on the heels of a deluge of high-profile cyberattacks and breaches against numerous U.S. companies, we may finally have reached a tipping point, where potential harm to reputation and revenue now outweighs the downside of disclosure from a corporate perspective. Obama’s executive order is thus a spur to get the ball rolling but, frankly, there is a limit to what government alone can (and should) do in this area. Changes in attitudes and behaviors are needed across the board, right down to families and individuals.

The linchpin of President Obama’s recently launched cybersecurity initiative is to encourage the private sector to share information to better defend against cyberattacks.

Yet U.S. companies have historically been wary of openly talking about their cybersecurity efforts with competitors and with government — for good reason.

Many businesses fear that sharing threat-related information could expose them to liability and litigation, undermine shareholder or consumer confidence, or introduce the potential for leaks of proprietary information.

For some companies, Edward Snowden’s revelations of sweeping government surveillance programs have reinforced the impulse to hold corporate cards close to the vest. Yet on the heels of a deluge of high-profile cyberattacks and breaches against numerous U.S. companies, we may finally have reached a tipping point, where potential harm to reputation and revenue now outweighs the downside of disclosure from a corporate perspective.

Blueprint for safer Internet
Obama’s executive order is meant to shore up public health and safety, as well as national and economic security, by promoting the exchange of information on cybersecurity risks and incidents. The goal is to share data within and between industries to foster speedy and effective response to cyberthreats.

The executive order empowers the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations” (ISAOs), “organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities.” These ISAOs are intended “to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government.”

In addition, three days before the announcement of the executive order, the White House announced the creation of a national Cyber Threat Intelligence Integration Center (CTIIC). Akin to the National Counterterrorism Center, the CTIIC will work to “connect the dots between various cyberthreats to the nation so that relevant departments and agencies are aware of these threats in as close to real time as possible.” The ultimate objective is to “facilitate and support efforts by the government to counter foreign cyberthreats.”

The idea underlying the executive order and companion measures is to make it harder for cybercriminals and worse to achieve their prize, be it profit, intellectual property, state secrets, or geo-strategic advantage. For too long, too many factors have operated in the cyberattacker’s favor.