Obama to encourage companies to share cyber threat data

Executive order is seen as step in preventing attacks such as the one on Sony

US president Barack Obama is set to sign an executive order on Friday aimed at encouraging companies to share more information about cybersecurity threats with the government and each other, a response to attacks such as the one on Sony Entertainment.

The order sets the stage for new private-sector led “information sharing and analysis organisations” (ISAOs) - hubs where companies share cyber threat data with each other and with the Department of Homeland Security.

It is one step in a long effort to make companies as well as privacy and consumer advocates more comfortable with proposed legislation that would offer participating companies liability protection, the White House said.

"We believe that by clearly defining what makes for a good ISAO, that will make tying liability protection to sectoral organisations easier and more accessible to the public and to privacy and civil liberties advocates," said Michael Daniel, Mr Obama's cyber coordinator, in a conference call with reporters.

READ MORE

Mr Obama will sign the order at a day-long conference on cybersecurity at Stanford University in the heart of Silicon Valley.

The move comes as big Silicon Valley companies prove hesitant to fully support more mandated cybersecurity information sharing without reforms to government surveillance practices exposed by former National Security Agency contractor Edward Snowden.

Cybersecurity industry veterans said Mr Obama’s anticipated order would be only a modest step in one of the president’s major priorities - the defence of companies from attacks like those on Sony and Anthem Inc.

Mr Obama has proposed legislation to require more information-sharing and limit any legal liability for companies that share too much. Only Congress can provide the liability protection through legislation.

Businesses are unlikely to share a lot of timely and “actionable” cyber intelligence without liability relief, said Mike Brown, a vice president with the RSA security division of EMC Corp.

“Until that gets resolved, probably through legislation, I’m not sure how effective continued information-sharing will be,” said Mr Brown, a retired Naval officer and former cyber official with the Department of Homeland Security.

Senator Tom Carper, the top Democrat on the Senate Homeland Security committee, introduced a bill this week that incorporates much of Mr Obama’s plan. But Republicans control Congress, and they have yet to sign on to the idea.

“This is an urgent matter and we are working with anyone that we can up on the Hill to make that happen,” said Mr Daniel, who had not yet reviewed Carper’s bill.

Getting a bill through Congress will require at least the support of big Silicon Valley companies such as Google and Facebook.

Those companies, however, have refused to give full support to cybersecurity bills without some reform of surveillance practices exposed by Snowden that have hurt US technology companies’ efforts to win business in other countries.

“Obviously there have been tensions,” Mr Daniel told reporters.

“But I think that’s the kind of thing where the only way to get at that is to continue to have dialogue and to continue to engage, and the president has been committed to that,” he said.

Google, Facebook and Yahoo are not sending their chief executives to the Stanford conference because of the rift, according to an executive at a major technology company. Apple chief executive Tim Cook will give an address.

Obama also will meet privately with some executives on Friday. They are expected to press again for surveillance reform and support for strong encryption, which some in the administration have faulted recently on the grounds that it enables criminals and terrorists to hide their activity.

Big technology companies and a host of startups have been beefing up encryption in Snowden’s wake to make blanket intelligence collection overseas more difficult.

Reuters