EXECUTIVE|DISORDER
Executive Order 13691
Promoting Private Sector Cybersecurity Information Sharing
Ordered by Barack Obama on February 13, 2015
Summary
Encourages voluntary formation of private-sector cybersecurity information-sharing groups (ISAOs). Directs Homeland Security to facilitate their development, establish common standards, and enable federal collaboration. Ensures privacy and civil liberties protections. Updates security clearance guidelines for participants.
Overview
Introduction to the Executive Order
Executive Order 13691, issued by President Barack Obama on February 13, 2015, is a strategic effort to enhance cybersecurity across both the private and public sectors in the United States. It specifically aims to promote the sharing of cybersecurity threat information among private organizations, federal agencies, and other stakeholders. The order seeks to mitigate cyber threats that pose risks to national security, public health and safety, and economic stability. By encouraging the formation of Information Sharing and Analysis Organizations (ISAOs), this order seeks to establish a collaborative cybersecurity ecosystem that functions in as close to real time as possible.
Key Provisions
The executive order empowers the Secretary of Homeland Security to facilitate the growth of ISAOs, which can be organized based on sector, region, or in response to specific cyber threats. These organizations can be for-profit or nonprofit and can include diverse stakeholders from both the public and private sectors. The role of the National Cybersecurity and Communications Integration Center (NCCIC) is emphasized as a hub for information exchange with ISAOs, ensuring that best practices are implemented and that information is shared securely.
Focus on Privacy and Civil Liberties
Significantly, EO 13691 mandates that information sharing processes respect privacy and civil liberties. This is achieved by incorporating the Fair Information Practice Principles and other privacy-related frameworks, ensuring that sensitive data is handled with care. The requirement for federal agencies involved in the order to coordinate with privacy and civil liberties officials underscores a commitment to safeguarding individual rights while enhancing cybersecurity measures.
Legal and Policy Implications
Constitutional and Statutory Considerations
This executive order does not introduce new regulatory authority but rather builds on existing legal frameworks such as the Homeland Security Act and the Critical Infrastructure Information Act of 2002. The order is consistent with previous directives like EO 13636 and the Presidential Policy Directive-21, emphasizing continuity in cybersecurity policy. It empowers the Department of Homeland Security (DHS) to facilitate private-sector collaborations without imposing new legal mandates, thus aligning with the constitutional separation of powers.
Amendments and Supersessions
EO 13691 amends EO 12829, which governs the National Industrial Security Program. These amendments expand the responsibilities of various federal entities concerning cybersecurity, reflecting evolving technological landscapes and increasing threats. The order also aligns existing legal instruments with contemporary cybersecurity demands, ensuring that security measures evolve in response to increased digital interconnectivity and sophisticated cyber threats.
Federal Agency Coordination
The executive order mandates coordination among various federal entities, including the Office of Management and Budget, the National Institute of Standards and Technology, and the Department of Justice. This interagency collaboration is designed to establish consistent, voluntary standards for ISAOs, fostering an environment of trust and efficacy in cybersecurity information sharing. Additionally, the order ensures that the development of these standards is influenced by public and private sector stakeholders, thereby adhering to democratic principles of openness and participation.
Who Benefits
Private Sector Organizations
Private sector entities, particularly those in critical infrastructure sectors such as finance, energy, and transportation, stand to benefit significantly from EO 13691. By participating in ISAOs, these organizations can access a wealth of information on cybersecurity threats and best practices. This collaborative environment enables them to strengthen their own defenses while contributing to national cybersecurity resilience.
Cybersecurity Firms
The executive order indirectly benefits cybersecurity firms by fostering greater demand for their services. As ISAOs grow and the need for robust cybersecurity solutions increases, companies specializing in security technology and consulting are likely to see new business opportunities. The proliferation of collaborative networks necessitates advanced tools and expertise, driving innovation and economic growth within the industry.
Federal Agencies
Federal agencies benefit from enhanced collaboration with the private sector, gaining access to critical threat intelligence that can improve national security efforts. Agencies involved in cybersecurity can leverage the shared information to bolster their protective measures and develop informed policy responses, thereby enhancing the overall security posture of the country.
Consumers and the General Public
Consumers and the general public stand to gain from improved cybersecurity defenses resulting from the information sharing promoted by EO 13691. As private companies and government entities enhance their security measures, the likelihood of widespread cyber incidents that could impact economic stability and personal data privacy is reduced, contributing to broader societal benefit.
Who Suffers
Potential Risks to Privacy
While EO 13691 emphasizes privacy and civil liberties protection, there remains a potential risk of overreach in data sharing, where sensitive personal information might be inadvertently exposed. This can particularly impact individuals whose data may be handled improperly by entities participating in ISAOs, despite the order’s privacy mandates.
Small and Medium Enterprises (SMEs)
Smaller businesses might face challenges participating in ISAOs due to resource constraints. The cost of implementing robust cybersecurity measures and engaging in information-sharing networks can be prohibitive for SMEs, potentially leaving them vulnerable to cyber threats or excluding them from beneficial information exchanges.
Non-Participating Organizations
Organizations that choose not to engage with ISAOs may find themselves at a disadvantage compared to their peers who are able to access timely and relevant cybersecurity threat information. Non-participation can lead to competitive disparities, particularly for businesses in industries where cybersecurity threats are prevalent.
Historical Context
Continuation of Cybersecurity Policy Trends
EO 13691 builds on a decade-long effort to strengthen the nation’s cybersecurity posture, following in the footsteps of initiatives like the National Strategy to Secure Cyberspace (2003) and subsequent cybersecurity-focused executive orders. This continuity reflects a bipartisan understanding of the growing and evolving nature of cyber threats, necessitating sustained policy focus.
Obama Administration’s Policy Priorities
The order aligns closely with the Obama administration's broader strategy to bolster national security while protecting civil liberties. It complements efforts such as the Digital Government Strategy and the Comprehensive National Cybersecurity Initiative, showcasing a commitment to integrating technology policy with public safety and privacy considerations.
International Implications
Given the global nature of cybersecurity threats, EO 13691 implicitly supports international collaboration, as it promotes voluntary standards consistent with international practices. By engaging with global stakeholders, the order helps position the United States as a leader in international cybersecurity efforts, influencing norms and practices worldwide.
Potential Controversies or Challenges
Privacy and Civil Liberties Concerns
The expansion of information sharing mandated by EO 13691 has sparked debates over potential violations of privacy and civil liberties. Critics argue that despite built-in protections, the scale of data sharing could lead to excessive surveillance, prompting calls for stricter oversight and accountability mechanisms to ensure compliance with privacy standards.
Regulatory Limitations
The executive order’s reliance on voluntary compliance by private sector entities may present an enforcement challenge. Without regulatory power to mandate participation, achieving comprehensive engagement across all critical sectors could be problematic, potentially limiting the effectiveness of the information-sharing initiatives proposed.
Industry Hesitance
Some industries may be hesitant to share sensitive cybersecurity information due to concerns about competitive disadvantage or legal liabilities. Despite assurances of confidentiality and legal protections, businesses may fear reputational harm or exposure to legal risks, which could inhibit full participation and undermine the order’s objectives.
Resource Allocation
Ensuring adequate resources for the implementation of EO 13691 presents another challenge. Federal agencies and private entities alike must allocate sufficient resources to establish and maintain ISAOs, potentially straining budgets and limiting broader cybersecurity initiatives if funding is not prioritized effectively.
Implications
This section will contain the bottom line up front analysis.
Users with accounts see get different text depending on what type of user they are. General interest, journalist, policymaker, agency staff, interest groups, litigators, researches.
Users will be able to refine their interests so they can quickly see what matters to them.