After touching on cybersecurity in last month’s State of the Union, President Obama signed an executive order to promote increased information sharing about cyberthreats between government agencies and private corporations. The executive order directs government agencies to produce timely unclassified reports on cyberthreats for Congress and to facilitate the sharing classified cyberthreat information with private companies that manage critical infrastructure.
While the order describes an expanded mode of information sharing from the government to private companies, it does not explicitly promote increased information sharing from private companies to the government. According to Wired, the order gives a nod to privacy concerns by “referenc[ing] established safeguards, such as the Fair Information Practice Principles” for data that private companies share with the government and calls for an assessment of the civil liberties implications of information-sharing programs. The executive order does not grant any exceptions to existing privacy law for private corporations, meaning that they are no more likely to share information with the government than they were previously. In this sense, the order is more sensitive to privacy and surveillance concerns than the roundly criticized CISPA bill, which was reintroduced in the House of Representatives last week and grants broad exemptions from privacy laws to companies that share cyberthreat data with the government.
The Verge worries that the definitions of “cyberthreat” and “critical infrastructure” as used in the executive order might be too broad. The White House has clarified that cyberthreats include “web site defacement, espionage, theft of intellectual property, denial of service attacks, and destructive malware.” Hence, “last month’s apparent hacking and defacement of MIT’s website in honor of late internet activist Aaron Swartz could be considered a ‘cyber threat’.” However, this seems like a faulty conclusion. The order addresses itself to information sharing about classified cyberthreats to critical infrastructure. MIT’s web site hardly qualifies as “critical infrastructure,” which the order specifies as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Moreover, the hacking of MIT’s website was probably not a classified matter.
More broadly speaking, although acts of public protest or free speech may fall under categories like “web site defacement” or “denial of service attacks” and hence constitute “cyberthreats,” that alone isn’t enough to instigate information sharing under the executive order; the order is concerned with government sharing of classified information about cyberthreats to critical infrastructure. The information sharing program is voluntary: eligible private companies can opt-in to receive information from the government. It also seems that for now, companies retain discretion on how to act on received information, meaning that the government can’t coerce companies to act in a particular way.
The executive order itself only provides for one-way (from government to corporations) information sharing in the context of critical infrastructure, so the potential for harm to civil liberties is certainly mitigated. On the other hand, increased provision of information from the government to private corporations could in itself constitute a pressure towards action that corporations might not have otherwise taken. For instance, government notice of a speech act (like the MIT hack) as “cyberthreat” might strongly influence a private company to censor or delete simply because the “cyberthreat” label is so loaded. Furthermore, the order isn’t the end of the road, and it may open the gates to legislation less protective of privacy and free speech. Laws governing information sharing practices are still in flux, and invasive bills like CISPA are still being pushed forward.