Obama’s New Plan for Online Security Faces Some Big Questions

President Obama wants Corporate America to work more closely to fend off hackers, but his new plan won’t achieve much unless he can get Congress to work more closely with him.

At a tech conference at Stanford University Friday, Obama is expected to provide more details about a new federal cyber intelligence unit which is designed to better coordinate the analysis of various online threats.

The White House’s plan hinges on the idea that companies should unite in the face of a common threat. The basic idea is that if Anthem, Sony or Home Depot—all companies that have suffered major cyber attacks recently—shared in real-time how their defenses were breached, then other companies and the federal government would be better able to stop similar attacks.

To that end, Obama’s executive order is expected encourage companies to set up voluntary, information sharing and analysis organizations (ISAOs) to help other companies and the U.S. government disseminate information about cyber threats more quickly, according to a White House statement. (That part of the White House’s plan is not totally new. Voluntary Information Sharing and Analysis Centers, ISACs, already exist within many sectors, although in most industries, they’re flimsy at best.)

Senior industry figures as well as advocates and lawmakers concerned about consumer privacy say that while the Obama plan might sound good, it’s riddled with problems. They suggest that emphasizing rapid-fire, real-time information sharing raises a host of major legal questions ranging from privacy to anti-trust issues.

For example, analysts say that the kind of threat that companies would share at these new ISAOs are likely to include customers’ personal information. Privacy advocates say that such information would have to be carefully stripped-out or redacted before it could be shared—a process that would seriously slow down information-sharing efforts and give companies a reason not to share information that may get them in legal trouble later.

The White House, for its part, has gone the opposite route: it has proposed legislation that would legally shield companies sharing cyber threat information at ISAOs, but Congress hasn’t bitten. The executive action is expected to further that effort.

Others opposed to the Obama plan worry that the data shared at ISAOs could include highly-confidential or proprietary information about a company’s security system, which raises anti-trust questions. If two competing companies share proprietary information under the guise of sharing cyber-threat information, are they technically colluding with each other?

Meanwhile, some Republican lawmakers are opposed to the president’s plan because it suggests that the federal government would play too big of a role in the private sector by encouraging companies to communicate with government-monitored clearinghouses. “Unilateral, top-down solutions will not solve America’s cyber problems,” said Speaker John Boehner’s spokesperson, Cory Fritz, in a statement.

The White House has played down concerns about the new executive action, emphasizing that participating in the ISAOs would be entirely voluntary, that protecting civil rights would be a key component of the new sharing framework, and that companies would simply be encouraged to develop a common set of standards for better combatting cyber threats. White House Cybersecurity Coordinator Michael Daniel has said that the federal government can’t prevent cyber threats on its own and needs the private sector to take an active role in improving its own policies and sharing information.

Apple CEO Tim Cook is expected to speak at the conference at Stanford today, although top Google, Yahoo and Facebook executives have said that they will not attend. Their cooperation, as well as Congress’, will be the key to whether Obama’s ambitious new agenda actually happens.