In-brief: Even with a high-profile summit in the heart of Silicon Valley, partisan gridlock back in Washington D.C. will make progress on cyber security impossible, experts say.
Last week’s White House summit on cyber security was an A-list affair, at least by security industry standards. In addition to bona-fide rock stars (President Obama and Apple CEO Tim Cook) there were plenty of information security rock stars. Among them: the chief security officers of some of the biggest technology firms on the planet: Microsoft, Google, Facebook and Yahoo!.
But less than a week after the high-profile event on the Stanford University campus, information security professionals say there are many reasons to be pessimistic about the prospects for major change.
Hampered by a fractured and partisan environment on Capitol Hill, both the Obama Administration and lawmakers will find it difficult to address many of the most critical issues highlighted at the Stanford Summit.
The Stanford University Summit was billed as the “Whitehouse Summit on Cybersecurity and Consumer Protection.” Speaking at the Summit, President Obama made much of the need for better cooperation between the government and private sector, especially in sharing information about cyber attacks and threats.
The President issued an Executive Order instructing the Secretary of Homeland Security (Secretary) to “strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs)” that would facilitate such sharing.
But critics note that the President’s reliance on an Executive Order was just one sign of the trouble ahead – with a familiar culprit: gridlock.
“I know people on both sides – Republicans and Democrats, people on the Hill and the Whitehouse who deal with these policy matters,” said John Dickson, a Principal at Denim Group. “I’ll tell you one thing, they are not talking to each other at all.”
The result is efforts on cyber security that are more symbol than action. Dickson said the Executive Order on information sharing is a good example of that.
“Obviously, the lynch pin for information sharing is getting some comfort for commercial entities about liability and how that is defined,” he said. “And that simply was not addressed (at the Summit),” Dickson said.
Without expanded legal protections for sharing information about breaches, private firms are unlikely to be more open about them, mindful of consumer- and shareholder lawsuits or damage to their corporate brand.”This stuff filters pretty quickly down to counsel who will look at it and say ‘hey, wait a minute!'”
It shouldn’t be this way. Cyber security is one of just a few areas of significance where there is broad, bi-partisan agreement. Still, Dickson said the Obama administration’s decision to act unilaterally, in the form of an Executive Action, fits a pattern and underscores the deep divisions between Capitol Hill and the Executive Branch.
And blame doesn’t end at the White House, Dickson said. The House and Senate – both in Republican hands – have not made efforts to lead on cyber security or offer their own vision and proposals. Neither side, Dickson said, seems to want to hand the other a victory.
Other factors may be at play, as well. The damage caused by leaked, classified information by former NSA contractor Edward Snowden has turned the tide on the government’s post- 9/11 vision of fluid information sharing between different branches of government.
“The Executive Branch is much more conservative than it was two years ago,” said Dickson. “I see a strong trend to protection against information leakage that leads to more stovepipes…(and) a more conservative approach for information sharing.”
Even before the Summit, the Obama Administration was contending with diminished expectations. The White House got a lukewarm reception from the high-tech community. Apple’s CEO Tim Cook was the only CEO of a large Silicon Valley firm to attend. Chief executives at firms like Microsoft, Yahoo!, Google and Facebook opted to send their senior information security executives to the event, instead. That was widely seen as a snub by firms who have been used unwittingly as tools of government surveillance in recent years.
The aftermath of the event has been muted, as well. With few concrete proposals out of the Summit and nothing with the force of law, it is difficult to measure the impact of the event.
“Above all, we need Congress to send a bill to the president that gives businesses legal certainty that they have a safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real-time and taking actions to mitigate cyber-attacks,” the American Bankers Association said in a statement released following the Summit.
Dickson said that the recent track record of Congress in tackling big problems doesn’t auger well for action on cyber security. “Even if people say the right things, I’m highly skeptical that anything will happen, given the recent past,” he said.