President Obama’s recent cybersecurity-related executive order, ultimately aimed at fostering cybersecurity threat and information-sharing between the public and private sectors, has stirred up mixed emotions, to say the least. The order does not provide legal protection for companies that share such information, which has led business owners and privacy advocates to argue it is doomed to fail. But some say those concerns are overstated, and that such models are already working well in the marketplace.
Against the backdrop of ongoing, incessant data breaches, the Sony Pictures hack, and the multi-million dollar bank cyberheist that came to light this week, it’s clear that cybersecurity attacks are a constant reality that enterprises must address. A cybersecurity summit last week at Stanford University in Palo Alto, Calif. brought together President Obama, the secretaries of Homeland Security and the Department of Commerce, and the CEOs of Apple (News - Alert), American Express, Kaiser Permanente, AIG and Pacific Gas & Electric, to discuss ways to stay ahead of the bad guys as technology rapidly evolves.
"When companies get hacked, Americans’ personal information, including their financial information, gets stolen," the President said in his address at the event. "Identity theft can ruin your credit rating and turn your life upside down. In recent breaches, more than 100 million Americans had their personal data compromised, including, in some cases, credit card information."
He added, “This should not be an ideological issue,” the President said. “This is not a Democratic or Republican issue. Everybody’s online and everybody’s vulnerable.”
The executive order is meant to create a voluntary framework for “expanded information-sharing designed to help companies work together, and work with the federal government, to quickly identify and protect against cyber-threats.”
This includes setting up information-sharing and analysis organizations (ISAOs), to act as clearinghouses where companies and industries can share information with each other. It also calls for a common set of standards so the government can share information on threats with these hubs more easily.
“Government cannot do this alone,” Obama said. “The fact is that the private sector can’t do this alone either. It’s government that often has the latest information on these new threats.”
The summit and the EO are the latest in an ongoing White House cyber-push, which has included the creation of a new federal agency, dubbed the Cyber Threat Intelligence Integration Center, and the creation of a framework aimed at improving security for critical infrastructure.
“Cybercriminals are persistent, and their attacks are increasingly sophisticated, continuing the conversation among all stakeholders is critical,” said Sandy Kennedy, president of the Retail Industry Leaders Association (RILA). “President Obama’s commitment to these important issues, threat information sharing and payments security, is welcomed by retailers and we look forward to continuing to collaborate with the government on ways to help ensure retailers have the necessary partners and tools available to them in order to mitigate cyberthreats.”
The retail sector may applaud the efforts, but others are more wary of the idea. In a post-Edward Snowden world, sharing information with the government has not been a particularly popular topic among tech giants. Many of them suffered a big brand hit after Snowden leaked documents showing that companies like Google and Microsoft (News - Alert) were working with the National Security Agency to aid in surveillance of suspected terrorists—unbeknownst to their customers.
Since then, most digital economy companies have worked on their privacy bona fides, through transparency reports and honed rhetoric. To that end, Apple chief Tim Cook took to the stage at the summit, calling privacy “a matter of life and death.”
"People have entrusted us with their most personal information," he said. "We owe them nothing less than the best protections that we can possibly provide by harnessing the technology at our disposal. We must get this right. History has shown us that sacrificing our right to privacy can have dire consequences."
Not-so-subtly sending the message that sharing information with the government is not something that they’re interested in jumping on board with, CEOs from Google (News - Alert), Yahoo and Facebook turned down invitations to the event.
Despite the snub, others in the online arena were optimistic—with caveats. “This order and the information-sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry,” said Ken Westin, security analyst for Tripwire (News - Alert). “The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just lawmakers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.”
Security expert Dave Frymier, Unisys’ (News - Alert) CISO, believes the privacy and surveillance concerns here are both overblown and shortsighted. “Similar information sharing programs are currently working successfully in the DoD,” he said. “As long as the program is voluntary, the entity sharing the information can redact it to whatever extent their lawyers feel comfortable with. The rewards of such a program far outweigh the risks associated, which is why this will ultimately lead to its long-term success.”