Obama orders companies, government to share threat intel
President outlines 'shared mission' for government and the tech industry to become ''true partners' defending America
By Byron Acohido, ThirdCertainty
PALO ALTO — President Obama threw down a gauntlet here today to rally corporations, Congress and the federal government to address cyber attacks in a selfless way.
The president signed a milestone executive order urging the corporate sector to dramatically advance the sharing of cyber attack intelligence among themselves and with the federal government.
“This has to be a shared mission,” Obama declared. “The only way to defend America is through government and industry working together sharing appropriate information as true partners.”
3C’s newsletter: Free subscription to fresh analysis of emerging exposures
The presidential order is advisory. It is the latest component of the White House’s push to better protect the nation’s critical infrastructure, while also preserving personal privacy.
But the problem has become much bigger than just protecting strategic and military targets. That was the theme of panelist discussions at the first summit on Cybersecurity and Consumer Protection convened at Stanford University, at which the president spoke.
Obama invited a who’s who of corporate execs to join members of his cabinet to discuss security and privacy in the digital age. A clear consensus resounded from panel discussions: cyber attacks by profit-minded criminals and nation-state backed spies have risen to a level where it is not just infrastructure that’s at risk. Identity theft and data breaches increasingly undermine the nation’s every day economy.
Kenneth Chenault, CEO of American Express, who spoke in support of the President’s call for wider sharing, noted that the stakes are sky high.
“Trust holds society together,” Chenault said. “Cybersecurity and consumer protection is really about trust. That’s the bond for all of us and that’s what is very important about the tensions playing out now. We have to be very focused on the constancy of our values.”
Chenault called the new level of information sharing called for by the president a “high value, low cost” way to accelerate basic defenses against data thieves and cyber spies
Peter Hancock, CEO of giant insurance company AIG, gave an example of how the insurance industry could supply information about best practices used by companies that have begun to purchase data breach liability coverage.
AIG only insures companies that have smart data security policies and defenses in place. Hancock said that sharing information about what companies are doing to qualify for data breach insurance could help raise the bar for all companies, especially for small and mid size businesses.
“Getting the simple things right significantly reduces the frequency and severity of loss events,” Hancock said. “That’s where we can help spread the word for a more secure data environment.”
The president wants to see a central clearinghouse for companies and government agencies to share data about attacks, as well as the creation of centers where such intelligence can be shared across geographical regions.
The Department of Homeland Security would oversee the formation of these clearinghouses. As standards for sharing emerge, they must include protections for privacy and civil liberties, Obama said.
Last month, the White House proposed legislation that would shield companies from lawsuits for sharing cybersecurity intel with the government. And it is presently working on drafting privacy rights legislation.
Privacy groups and Silicon Valley companies have said they would oppose such legislation for different reasons. Google and Facebook did not attend the conference. Apple CEO Tim Cook did, but used his keynote address to promote Apple’s unilateral security initiatives. Cook made no mention on how Apple feels about sharing threat intelligence along the lines of what the president wants to see.
Ron Gula, CEO of Tenable Network Security, said the privacy sector ought to be supportive of information sharing.
“This executive order raises awareness for the need to invest more into cyber security,” Gula said. “Information sharing is not the silver bullet to our problems, but it’s a good start. It provides organizations with centralized information that presents real context around malicious activities, which enables them to react faster than they would without it.”
Scott Hartz, CEO of cloud security vendor TaaSera, expressed optimism that deep business rivalries and partisan politics can be set aside to respond to the president’s rallying cry.
“We face a common external enemy and are facing a growing crisis of epic proportions,” Hartz said. “The United States has always pulled together in times of need like this. Provided we reach a common understanding of the problem, I believe the government and private sector can reach a reasonable accommodation.”
More on emerging best practices