US: Cyber Risk Update
Cyber security is widely viewed in the US as an urgent legislative and regulatory issue. The topics addressed below represent a selection of recent developments of note.
Obama Administration’s Recent Cyber Initiatives
During the week of 12 January 2015 the Obama Administration released legislative proposals aimed at improving cyber security. These measures included:
- Federal Data Breach Notification Law – The Administration proposed a breach notification law that would pre-empt state notification laws and create a national standard requiring consumer notification within 30 calendar days of the discovery of a breach of “sensitive personally identifiable information.” It would apply to all companies dealing with sensitive personal information concerning more than 10,000 individuals during any 12 month period. A similar bill in Congress (HR 580) would require notification in 45 calendar days and would apply to all entities under the Federal Trade Commission’s authority.
- The creation of a cyber threat information sharing framework - This would provide liability protection to private entities that disclose cyber threat indicators to the federal government and to private Information Sharing and Analysis Organizations (ISAOs), which the law envisages as private entities that abide by information sharing best practices. Private entities disclosing information pursuant to the proposed legislation would be required to take "reasonable efforts" to remove anything that would identify people who are caught incidentally in the data disclosure and who are "reasonably believed to be unrelated to the cyber threat.”
Both proposals have received some bipartisan Congressional support. However, information sharing legislation is opposed by privacy and civil liberties groups, which are reluctant to expand potential government access to the personal data of US citizens. Many private companies are also hesitant to embrace proposals that would require them to share information with the federal government.
Executive Order on Cybersecurity Information Sharing
On 13 February 2015, President Obama issued an executive order (the “Order”) requiring the Secretary of Homeland Security to encourage the formation of ISAOs that would enable the voluntary sharing of information related to cyber security risks and incidents. ISAOs are intended to foster information sharing amongst entities in a particular economic sector. However, ISAOs may also be organised on the basis of region or any other affinity, including in response to particular emerging threats or vulnerabilities. Further, the order designates the National Cybersecurity and Communications Integration Center (NCCIC) as a critical infrastructure protection programme and grants to it the authority to enter into voluntary agreements with ISAOs to share classified cyber threat information affecting critical infrastructure .
The Administration views the Order as complimenting its January 2015 legislative proposal by further developing the concept of ISAOs. The Administration believes ISAOs could serve as the framework for the targeted liability protections that it views as crucial to incentivising cyber threat information sharing.
New Central Cybersecurity Agency
On 10 February, the White House announced that an agency to monitor cyber threats and pool and analyse data would be established.
The Cyber Threat Intelligence Integration Center (CTIIC), which will operate under the Office of the Director of National Intelligence, intends to help agencies better integrate their expertise and information. The new center will analyse and integrate data that is already being collected. It will not collect intelligence or perform functions already assigned to other agencies. The President’s advisor stated that “Currently, no single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other elements within the government, and supporting the work of operators and policy makers with timely intelligence about the latest cyber threats and threat actors . . .the CTIIC is intended to fill these gaps.”
US and UK Collaboration
The US and UK governments are closely collaborating on cyber security, having recently announced a series of simulated cyber-attacks to test each other’s resiliency. The first exercise will simulate attacks on the City of London and Wall Street, addressing growing fears about the vulnerability of the financial sector to cyber-attacks.
 Critical Infrastructure sectors are designated in Presidential Policy Directive (PPD-21) as: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.