On Friday, February 13, 2015, President Obama delivered the keynote speech and signed an executive order on cybersecurity information sharing at the White House cybersecurity and privacy summit held at Stanford University. Also participating in the summit from the federal government were the Secretaries of Homeland Security and Commerce, the Administrator of the Small Business Administration, the Deputy Secretaries of Energy, Homeland Security and Treasury, and senior White House and other agency officials. From the private sector, speaking participants included at the CEO, president or COO level, a range of companies including AIG, Apple, American Express, Bank of America, Box, CloudFlare, FireEye, FirstBank, ID.me, Intel, Kaiser Permanente, LexisNexis, MasterCard, Palo Alto Networks, QVC, Pacific Gas & Electric, PayPal, Symantec, Visa, Walgreens and Yubikey. Other speakers included academics, public interest organizations and chief security officers from major companies. The White House also invited an audience of other stakeholders and experts.
The Executive Order
The executive order (EO) seeks to make it easier for the federal government and the private sector to share cyber threat information while awaiting additional action by Congress on cybersecurity legislation. It is intended to further what the president called in his address at the summit, the “shared mission” between government and industry concerning cybersecurity. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it is government that often has the latest information on new threats. There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.”
The EO encourages private organizations to develop information sharing and analysis organizations (ISAOs), which may be nonprofits, membership organizations or a private company. It also directs the Department of Homeland Security (DHS) to fund a non-profit organization to develop a common set of voluntary standards for ISAOs, and clarifies the agency’s authority to enter into agreements with ISAOs. Further, the EO adds DHS to the list of Federal agencies that may approve classified information sharing arrangements and takes steps to ensure that information sharing entities can appropriately access classified cybersecurity threat information.
While broadening the ability of the federal government to share threat information, the EO also emphasizes personal privacy. Under the EO, private sector ISAOs must agree to abide by a common set of voluntary privacy standards, which must include privacy protections, such as data minimization, for ISAO operation and ISAO member participation. Additionally, agencies collaborating with ISAOs under the EO will be required to coordinate their activities with their senior officials for privacy and civil liberties and ensure that appropriate protections for privacy and civil liberties are in place and are based upon the United States Federal Trade Commission’s Fair Information Practice Principles.
The President’s Remarks
In addition to stressing the importance of information sharing and signing the EO, the president highlighted several companies working to support the administration’s cybersecurity initiatives. “I want to acknowledge, by the way, that the companies who are represented here are stepping up as well. . . . You’ve got companies from Apple to Intel, from Bank of America to PG&E, who are going to use the Cybersecurity Framework to strengthen their own defenses. As part of our BuySecure Initiative, Visa and MasterCard and American Express and others are going to make their transactions more secure. Nationstar is joining companies that are giving their companies [customers] another weapon to battle identity theft, and that's free access to their credit scores.” The president also announced a “Cyber Threat Alliance,” that includes companies like Palo Alto Networks and Symantec, which will work to implement the threat sharing protocols that are stipulated under the EO.
The president, several high-ranking administration officials, and a number of participating business leaders also called on Congress to pass information sharing legislation that could provide business with liability protections for the sharing of appropriate threat information. The president emphasized that this is not a partisan issue. The president and certain administration members also called on Congress to fund the Department of Homeland Security, with funding currently scheduled to run out late this month.
The president emphasized evolving cybersecurity and privacy issues as a major challenge of this century, implicating national security, economic security and prosperity, and family security. The technologies that “empower us” he said can “undermine us.” He discussed threats, needs, opportunities and actions in these areas, and said further privacy proposals from the administration would be coming later this month.
Our partner, David Turetsky, was invited by the White House to attend the summit, and also attended meetings at Stanford organized by the National Institute for Standards and Technology (NIST) the day before. His observations from the summit and those meetings include:
Companies repeatedly said that there are only two kinds of companies, those who know they have been hacked and those who do not know it. Speakers emphasized that monitoring and earlier detection are important as are other efforts to make entry, exfiltration and destruction more expensive and less valuable for intruders (e.g., through two-factor authentication rather than passwords, up-to-date encryption, certain storage techniques, etc.), but the expectation is that entry will occur.
Some speakers noted that after the Target data breach, many other companies distinguished that experience by noting they are not in the retail space. The Sony experience has changed that perspective for many.
Some companies find that the threat landscape changes so rapidly, in turn affecting their cybersecurity risk profile, that they reassess and budget for security monthly rather than annually; some also said that they think of these issues as fundamental to “trust” and directly related to their investment in their brand, which enters into their assessment of the stakes in this area.
Experts noted that there used to be a lot of talk about military-grade cybersecurity protection but that grade of protection is increasingly moving into the commercial sector, an occurrence that reflects that sometimes the same or even more sophisticated attacks are made on the commercial sector.
In certain industries that are also subject to state regulation, a couple of speakers noted with concern that they are increasingly spending time and effort on “compliance” rather than improving cybersecurity; others noted that there are some laws that are impediments to consumer protection, with one stating that one such law can prevent a company from texting all of its customers after a security breach, preventing a method to make timely and effective notification that can limit the window for fraud.
Speakers noted that opt-in security is usually not effective and that often users do not cooperate. There has to be an effort to design security in. Some observed that perhaps the highest level of security requirements should attach to senior IT and other executives who have the most access, since their credentials may be the most valuable to hackers.
Some participants suggested more training needs to happen at many levels. For instance, some claimed that that possibly 25 types of programming errors account for the lion’s share of software vulnerabilities and that this can be improved substantially through training and much better feedback.
The problems encountered down the road could be far worse in terms of impact than those encountered so far. Some examples given by speakers who said they were looking ahead include possible manipulation of industrial control systems worse than that which recently damaged a German steel plant, and the changing of sensitive records, such as medical records, that could result in serious harm, including death.