Obama Says No More to Insider Data Breaches with a New Executive Order

Published On October 14, 2011 | By Randy Sabett | Data Security

In an Executive Order (the “Order”) released Friday, October 7, President Obama directed a number of activities to be carried out that are intended to “ensure the responsible sharing and safeguarding of classified national security information.”  According to some pundits, the Order responds to a number of recent breakdowns in information security that has led to significant and embarrassing data breaches.  The Order specifies “twin goals” of protecting classified information on computer networks but doing so in a way that is “consistent with appropriate protections for privacy and civil liberties.”

The Order directs development of policies and minimum standards applicable to all agencies that handle classified information, with those policies and standards addressing both internal and external threats.  Specific direction to agencies includes implementation of an “insider threat detection and prevention program” and performance of self-assessments to ensure compliance with the policies and standards.

In addition, the Order creates a number of different roles and responsibilities, including:

–          establishing a Senior Information Sharing and Safeguarding Steering Committee (the “Steering Committee”), responsible for coordinating interagency activities related to the policies and standards addressed by the Order, and it has 90 days to provide a report to the President regarding the state of security related to classified information on computer networks;

–          establishing a Classified Information Sharing and Safeguarding Office (the “CISSO”), which is to provide “sustained focus on responsible sharing and safeguarding of classified information on computer networks”;

–          appointing the Secretary of Defense and the Director of the NSA as the joint Executive Agents for the Safeguarding Classified Information on Computer Networks program;

–          establishing an interagency Insider Threat Task Force for addressing insider threats and safeguarding classified information by (1) developing policies for deterring and mitigating insider threats, (2) developing standards for implementing a Government-wide policy, (3) conducing assessments of agency programs for addressing insider threats, and (4) analyzing “new and continuing insider threat challenges” facing the Government.

The Order also separately handles two somewhat different situations.  First, it clarifies that the newly created entities and the activities under the Order do not affect the protections afforded to the legal actions of whistleblowers.  Second, the Order specifies that the Intelligence Community (and in particular the DNI) may issue its own policy and guidance as it deems necessary.

In light of the high profile data breaches that the Government has experienced, the framework called out in the Order represents a broad multi-dimensional response to the very difficult insider threat problem.  While no approaches can completely prevent breaches due to insider threat situations, the increased vigilance regarding such threats specified in the Order can certainly help reduce their likelihood.  It remains to be seen, however, how the Order will affect commercial entities that do business with the Government.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.

Comments