The Summit brought together the US leaders with different walks of life to discuss the new US Cybersecurity Framework. Government, industry, tech companies, non-governmental organizations and educational institutions joined their efforts to construct the best solutions to bolster cybersecurity, although the presented measures were not accepted unanimously. One of the controversial proposals of the Framework is the public-private collaboration on cybersecurity.

This aspect includes the mutual practices of sharing information on cybersecurity threats and incidents between companies. According to the Executive Order[1], these collaborations should be voluntary, through the so-called Information Sharing and Analysis Organizations (ISAOs). These would aim to share information related to cybersecurity, addressing existing and potential risks as well as enhancing information security procedures and mechanisms. In turn, the ISAOs are supposed to voluntary cooperate with the Federal Government. In general, the idea should seem alluring for the businesses especially in the light of recent hack attacks, such as the notorious Sony pictures[2] and Anthem[3] breaches. Besides, the voluntary nature of public-private collaboration provides an illusion of choice, of “opt out” for companies who are not ready to share their cybersecurity data. Some companies, such as Symantec, Palo Alto Networks, and Intel express a keen interest in such an initiative. At the same time, some tech giants, such as Facebook, Google and Yahoo!, do not burst with enthusiasm, bearing in mind Snowden’s revelations and concern over the NSA spying and protecting the privacy rights of their customers.

Even though the Executive Order embraces privacy as one of its key areas[4], this looks more like an attempt to lullaby the vigilance of companies, privacy advocates and users than as a solid pillar for executing cybersecurity. Indeed, the Executive Order’s section 5 dedicated to privacy and civil liberties protections states the fair treatment of personal information and business confidentiality in according with the privacy and civil liberties policies, including the Fair Information Practice Principles. Yet, all this said with the reservation that any of statements should be considered as superseding existing measures related to intelligence and law enforcement operations[5]. Appealing to Snowden’s Revelations, the shiny privacy claims fade in the light of the watchful eyes of the omnipotent US intelligence agencies. The Foreign Intelligence Surveillance Act (FISA), the USA Patriot Act, and Electronic Communications Privacy Act (ECPA) provided the National Security Agency (NSA) with the extensive rights to intervene in people’s personal data in the US and beyond[6]. Taking this into account, the hesitation on the side of the US companies may be well justified, given their worries about their reputation on local and global scale and consequent, potential losses.

Nevertheless, the fact that the US government, urged by an acute post-Snowden situation, took some slight policy steps towards privacy enforcement cannot be denied. The measures on protecting student data[7] as well as a highly-anticipated draft of the Consumer Privacy Bill[8] have awakened in the society a hope that the fair privacy-surveillance balance will be achieved one day. However, privacy reforms and measures are notably lacking behind the cyber security initiatives. Many questions remain in this regard. The long-lasting issue of a strong encryption was again swept away from the Summit agenda, rather being discussed privately between the companies’ executives and Obama after the Summit. The wide implementation of a strong encryption could enhance both cybersecurity and privacy, but would also limit the NSA’s capability of easy-tapping into the flows of personal data. To some extent, the fact of postponing an open dialog on this issue shows that so far, the surveillance-privacy scale is tipping towards the former. Thus, when the US President asserts that “[w]hen people go online, we shouldn’t have to forfeit the basic privacy we’re entitled to”[9], it seems rather superficial in view of the illusory nature of current privacy legislation.

Lastly, the Executive Order may stir up the previous EU-US privacy debates, concerning the fair balance between state surveillance and private life. Moreover, US companies operating in the EU might have to take additional measures to assure the compliance of their privacy policies with the EU legislation.

[1] http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

[2] http://www.theguardian.com/technology/2014/dec/05/sony-pictures-hack-north-korea-cyber-army

[3] http://www.zdnet.com/article/health-insurer-anthem-hit-by-hackers-up-to-80-million-records-exposed/

[4] http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

[5] http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

[6] European Parliament (2013e, July 4). 2013/2682(RSP). Resolution on the US National Security Agency surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ privacy. Retrieved from  http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2013-322

[7] http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

[8] https://www.huntonprivacyblog.com/2015/03/articles/white-house-releases-discussion-draft-consumer-privacy-bill-rights/

[9] http://www.whitehouse.gov/the-press-office/2015/02/13/remarks-president-cybersecurity-and-consumer-protection-summit