During his annual State of the Union address in February, President Barack Obama acknowledged “the real and growing threat” of cyber attacks on American infrastructure and announced that he had signed an executive order to strengthen cyber defenses and promote the sharing of information related to security threats.
The order (available in full on the White House website) states that companies responsible for the country’s infrastructure (dams, electrical grids, and financial institutions) may join the Enhanced Cybersecurity Services program, which will provide classified cyber-threat and technical information from the federal government to eligible critical-infrastructure companies or contracted vendors that offer security services to critical infrastructure. It also requires federal agencies to “expedite the processing of security clearances” for companies deemed eligible for the program, and to produce unclassified reports of specific threats in real time so that the companies can be prepared.
Jerry Ferguson, co-leader of the privacy and data protection team at law firm BakerHostetler, says the executive order is deliberately oblique on the issue of disclosure by private-sector businesses of information about cyber threats to the government. “The order is very clear when it talks about the government sharing information with the industry about threats, because that’s not controversial,” he says. “But it’s much more euphemistic when it talks about the sharing going the other way.”
Legislation on cyber security has repeatedly stalled because of concerns surrounding mandatory standards, information sharing, and civil liberties, especially as the latter applies to customer privacy. The executive order addresses all of the issues in vague ways, Ferguson says. “But I wouldn’t say that, just because it’s ambiguous, it’s not going to go anywhere,” he says. “I think when the reports come out, we’ll see some teeth.”
Many support the creation of federal cyber-security standards as long as they are voluntary. “That level of engagement is impressive, but expect some tension to occur over implementing ways for companies to share more proprietary information with government agencies,” warns Theodore Kobus, co-leader of BakerHostetler’s privacy team.
Kobus says there are risks CFOs should be aware of when considering voluntary disclosure about cyber threats. The first is whether such disclosures will interfere or be inconsistent with standard Securities and Exchange Commission filings. “Should you be disclosing under SEC guidance that you’re telling the government about these threats?” he asks.