In-brief: President Obama will address technology leaders at a Summit at Stanford University on Friday. But technology industry leaders say that much hinges on Washington’s ability to pass needed legal reforms.
President Obama travels to the beating heart of the U.S.’s burgeoning technology industry today to speak about the growing importance of cyber security to the nation’s economy and national defense and to encourage U.S. businesses to share more information about cyber attacks with each other -and the government.
But technology industry executives who will attend the event say that the Whitehouse Cyber Security Summit won’t amount to much if U.S. lawmakers in Washington can’t manage to pass much-needed, and much delayed cyber security legislation.
President Obama will be the keynote speaker at the event, billed as a Summit on Cybersecurity and Consumer Protection.” The event is being held at Stanford University. The President is expected to call on U.S. firms to share more data about cyber attacks such as the recent, destructive attack on Sony Pictures Entertainment. Reuters reports that the President will issue an Executive Order to that effect.
[Read more Security Ledger coverage of the Obama Administration’s actions on cyber security.]
President Obama has articulated a five point plan for improving cyber security. It includes initiatives to protecting critical infrastructure from cyber threats, securing federal networks, improving the ability of the government and private sector to identify and report cyber incidents, efforts to promote Internet freedom internationally and promoting a cyber-aware workforce.
The Summit will feature an address from Apple’s CEO and the President. It will also include sessions on cybersecurity information sharing, international law enforcement cooperation and alternatives to password-based authentication. The Summit will conclude with a panel on “new ideas on technical security” featuring chief security officers from Microsoft, Google, Yahoo and Facebook.
Companies that provide security products and services have long cited the need for more fluid sharing of intelligence about cyber events – to and from the government and the private sector, and between private sector firms, said Haiyan Song, the senior vice president of security at the technology firm Splunk.
Song, who will be one executive in attendance at the Whitehouse Summit, likens increased sharing of information about incidents like data theft to a “neighborhood watch” in which companies that see suspicious activity can make the broader community aware of it.
“The reality is that hackers use the same templates over and over again,” Song told Security Ledger. “If we can get those ‘indicators of compromise’ back into the system, then it becomes real and valuable,” she said.
Currently, private sector firms are reluctant to share that kind of information for a number of reasons. Among them: concerns about bad publicity stemming from any cyber incident, damage to their corporate brand and the specter of lawsuits filed by shareholders, harmed consumers or business partners, Song said.
The event has garnered as much attention for who will not be there as for who will. With the exception of Apple’s Tim Cook, CEOs of other leading technology and social media firms including Microsoft, Yahoo, Facebook and Google will not attend. Most have sent senior information security executives in their stead.
While schedule conflicts are the official reason for the CEO no-shows, media reports have suggested that executives like Facebook’s Mark Zuckerberg, Yahoo!’s Marissa Mayer and Google’s Larry Page may be using their absence to send a not-so-subtle message of protest over U.S. government surveillance programs.
RSA, the security division of the firm EMC will send its Chairman, Art Coviello and President, Amit Yoran, to the event. Michael Brown, RSAs Global Public Sector Vice President, said that the controversy over government surveillance makes it incumbent on the government to articulate what amount of access to private information is “appropriate and legal” for law enforcement and the government. “They really need to articulate a rationale for that,” Brown said. “It’s not just about ‘when, where, and how.’ They also need to clearly articulate ‘why’ – for example: this is a matter of public safety and this is the only way we can get this information.”
But progress on any of those initiatives is unlikely in the current environment of legislative gridlock in Washington D.C.
Brown, of RSA, notes that the lame duck Congress following the November, 2014 mid-term elections was able to pass modest legislation that clarified the roles and responsibilities of the government with regard to the public sector. But he said “significant gaps” still exist in U.S. laws, which have not been updated to keep pace with changes in the computing environment.
Among other things: the U.S. still lacks a federal law governing the protection of consumer data and private sector responsibility in the event of a data breach. The 80s-era Computer Fraud and Abuse Act needs to be updated, Brown said. Finally, new laws that clarify the federal government’s position on information sharing and provide legal cover for companies that share intelligence about cyber incidents are sorely needed, Brown said.
The Obama Administration has taken steps recently to act in the absence of Congressional action. In addition to the rumored executive action, the President earlier this week announced the creation of a new agency to coordinate cyber intelligence.
The new agency is modeled on the National Counterterrorism Center, which was launched in the wake of the Sept. 11, 2001 to facilitate intelligence sharing across agencies. Administration officials said the need for the agency became apparent in the wake of the attack on Sony Pictures, when the Administration couldn’t get a straight answer on who or what was behind the attack.