In an Executive Order (the “Order”) released Friday, October 7, President Obama directed a number of activities to be carried out that are intended to “ensure the responsible sharing and safeguarding of classified national security information.” According to some pundits, the Order responds to a number of recent breakdowns in information security that has led to significant and embarrassing data breaches. The Order specifies “twin goals” of protecting classified information on computer networks but doing so in a way that is “consistent with appropriate protections for privacy and civil liberties.”
The Order directs development of policies and minimum standards applicable to all agencies that handle classified information, with those policies and standards addressing both internal and external threats. Specific direction to agencies includes implementation of an “insider threat detection and prevention program” and performance of self-assessments to ensure compliance with the policies and standards.
In addition, the Order creates a number of different roles and responsibilities, including:
– establishing a Senior Information Sharing and Safeguarding Steering Committee (the “Steering Committee”), responsible for coordinating interagency activities related to the policies and standards addressed by the Order, and it has 90 days to provide a report to the President regarding the state of security related to classified information on computer networks;
– establishing a Classified Information Sharing and Safeguarding Office (the “CISSO”), which is to provide “sustained focus on responsible sharing and safeguarding of classified information on computer networks”;
– appointing the Secretary of Defense and the Director of the NSA as the joint Executive Agents for the Safeguarding Classified Information on Computer Networks program;
– establishing an interagency Insider Threat Task Force for addressing insider threats and safeguarding classified information by (1) developing policies for deterring and mitigating insider threats, (2) developing standards for implementing a Government-wide policy, (3) conducing assessments of agency programs for addressing insider threats, and (4) analyzing “new and continuing insider threat challenges” facing the Government.
The Order also separately handles two somewhat different situations. First, it clarifies that the newly created entities and the activities under the Order do not affect the protections afforded to the legal actions of whistleblowers. Second, the Order specifies that the Intelligence Community (and in particular the DNI) may issue its own policy and guidance as it deems necessary.
In light of the high profile data breaches that the Government has experienced, the framework called out in the Order represents a broad multi-dimensional response to the very difficult insider threat problem. While no approaches can completely prevent breaches due to insider threat situations, the increased vigilance regarding such threats specified in the Order can certainly help reduce their likelihood. It remains to be seen, however, how the Order will affect commercial entities that do business with the Government.
