“As President, I have no greater responsibility than ensuring the safety and security of the United States and the American people. Meeting this responsibility requires the closest possible cooperation among our intelligence, military, diplomatic, homeland security, law enforcement, and public health communities, as well as with our partners at the state and local level and in the private sector. This cooperation, in turn, demands the timely and effective sharing of intelligence and information about threats to our nation with those who need it, from the President to the police officer on the street.”
President Barack Obama, writing in The National Strategy For Information Sharing And Safeguarding.
On Wednesday the President issued a 16-page game plan aimed at strengthening the process and protection of online sharing to fight cyber attacks. It’s called the the National Strategy for Information Sharing and Safeguarding. The NSISS is a guideline aimed at creating a “balance between sharing information with those who need it to keep our country safe and safeguarding it from those who would do us harm,” the President wrote. “Sharing and safeguarding are often seen as mutually exclusive, in reality they are mutually reinforcing. This Strategy, therefore, emphasizes how strengthening the protection of classified and sensitive information can help to build confidence and trust so that such information can be shared with authorized users.”
In short, it’s a directive on how to share data, and improve data flow, informing U.S. citizens that they are now partners in this battle, and thereby required to share their data in the name of national security, all the while promising to protect civil rights and privacy.
Less an executive order than a vision, “the strategy does not define particular categories or types of information that must be shared.” Instead, it focuses on a sharing policy with three main principles:
- Designating information as a national asset.
- Shared risk management and safeguarding,
- Informed decision making.
1. Information As A National Asset
Making information a national asset is basically a step to streamlining the flow of data between governmental agencies. The push to cut across siloed Federal branches and bureaus and integrate information is extremely important for both national and regional security. What’s likely going to happen is interconnected federal networks and new databases.
The strategy lists five goals:
- Driving collective action through collaboration and accountability.
- Improving data flow and discovery.
- Improving effectiveness by sharing services.
- Defining new policies and processes and reform to protect data.
- Protecting user privacy and civil rights.
Number five “protecting privacy and rights” is tricky. The document cleverly words that data management extends to U.S. citizens, stating that these “stakeholders” also have a responsibility and are an integral part in the success of this plan.
“Information collected, analyzed, and disseminated by every stakeholder must be discoverable and retrievable, consistent with necessary legal restrictions, and guided by government-wide policies, standards, and management frameworks.”
In other words, while supposedly toe-ing the civil rights line, the government is saying if they need your data, it’s your job to give it to them. Just how jurisdiction is enforced will no doubt be a contentious issue. The document states that privacy will be leveraged by “governance bodies and existing procedures, to continually refine and establish necessary guidelines for appropriate protections of shared information.” But the how and why of collecting citizen’s data will likely unfold on a case-by-case basis, most likely with howls of protest from civil rights groups like the ACLU.
2. Information Sharing And Safeguarding Requires Shared Risk Management
This step is basically a relationship builder, calling for trust between the private and public sectors. It’s the government’s pitch that more sharing and safeguarding improves both policy development and tackling security problems.
“Policies, practices, and methods for information sharing and safeguarding can enable appropriate confidentiality while increasing transparency,” Obama writes. “To realize the benefits of sharing information, stakeholders mitigate and manage risk by taking appropriate measures to build trust in the processes that safeguard information from compromise.”
Part of the sharing process will also include heavy data tagging to improve discovery and new authorization and authentication controls to likely bolster security and accountability.
3. Information Informs Decisionmaking
This third directive ties together the first two steps. It states that the ability to discover and retrieve accurate data “depends upon an ability to make information easily accessible to federal, state, local, tribal, territorial, private sector, and foreign partners.”
In other words, here’s your “we’re all in this together” notice from Uncle Sam. You do your part, we do our part, and this ship should sail.
“The above principles and below goals will help us achieve an environment wherein decisions are driven by information that reflects our best assessments at every level — from frontline personnel to agency heads,” Obama writes.
Is This Plan… A Good Thing?
In the wake of the failed SOPA and PIPA regulation bills, there’s been a lot of public mistrust when it comes to the government keeping tabs on the Internet. But could this be a positive step? At least one major security pundit thinks so.
“Government needs to be part of that system,” wrote Dan Kaminsky in a recent op-ed in
along with Stewart Baker, a former general counsel at the National Security Agency and assistant secretary for policy at the Department of Homeland Security.
“I’m encouraged to see Obama creating a framework,” said Kaminsky, one of seven Recovery Key Shareholders for the Domain Name System, and chief scientist at security firm DKH. He says sharing data is a key to making the Internet safer.
Trust Is The Key Question
In an interview with ReadWrite, however, Kaminsky said the public culture of fear and mistrust may make his support of the President’s move less than popular. Still, he says we know dangerously little about the details of cyber attacks on the whole – and sharing data could help lower the risk. “You can’t solve a problem without data.”
“If our goal is to have a foundation for commerce, information, freedom, privacy, we need better data on what bad guys are dong and what stops them,” he added. “The hard truth is that American information assets are under attack. Public, private, and personal resources are being extracted wholesale.”
These acts of espionage are “tremendous, and the ability to respond is insignificant,” Kaminsky said. “It’s not like bad guys just attack military targets,” Kaminsky explained. “Everyone’s under attack.”
According to Kaminsky, the government has a strong interest in avoiding a situation where “in order to run a business you have to field an army. That would destroy small business and any compeitive environment. At the end of the day, can every business large and small deal with activity of foreign nation state attackers? Honestly, no.”
In order for the effort to succeed, Kaminsky said, information must flow in both directions between the private and public sectors. But he warned that “We have a lot of work to do in figuring out what works and what doesn’t. Step one is collecting information. The challenge is – who watches the watchers – and how do you make sure that aggregating force that makes the ground rules doesn’t turn on everyone?”
Going After Bad Guys… Or 9-Year-Olds?
That’s a key issue. With SOPA and PIPA fresh in their minds, many worry that the feds will use the shield of national security to go after regular people. It’s “ridiculous,” Kaminsky said, but the issue is “our ability to arrest 9 year-olds. The average kid is not breaking into Honeywell and stealing nuclear secrets to cause terror. The average kid is listening to Justin Bieber. There’s some definite fear in our effort to protect the rest of the economy that we’ll see the same techniques used to deal with nation-state hackers used on our kids.”
If the feds pursue matters not linked to national security, Kaminsky warned, it’s going to threaten the credibility of the entire effort. Still, he’s optimistic that the NSISS is a much-needed good-faith step in the right direction.
Photo courtesy of Shutterstock.