Obama orders companies, government to share threat intel

President outlines 'shared mission' for government and the tech industry to become ''true partners' defending America

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

PALO ALTO — Pres­i­dent Oba­ma threw down a gaunt­let here today to ral­ly cor­po­ra­tions, Con­gress and the fed­er­al gov­ern­ment to address cyber attacks in a self­less way.

The pres­i­dent signed a mile­stone exec­u­tive order urg­ing the cor­po­rate sec­tor to dra­mat­i­cal­ly advance the shar­ing of cyber attack intel­li­gence among them­selves and with the fed­er­al government.

This has to be a shared mis­sion,” Oba­ma declared. “The only way to defend Amer­i­ca is through gov­ern­ment and indus­try work­ing togeth­er shar­ing appro­pri­ate infor­ma­tion as true partners.”

3C’s  newslet­ter: Free sub­scrip­tion to fresh analy­sis of emerg­ing exposures

The pres­i­den­tial order is advi­so­ry. It is the lat­est com­po­nent of the White House’s push to bet­ter pro­tect the nation’s crit­i­cal infra­struc­ture, while also pre­serv­ing per­son­al privacy.

But the prob­lem has become much big­ger than just pro­tect­ing strate­gic and mil­i­tary tar­gets. That was the theme of pan­elist dis­cus­sions at the first sum­mit on Cyber­se­cu­ri­ty and Con­sumer Pro­tec­tion con­vened at Stan­ford Uni­ver­si­ty, at which the pres­i­dent spoke.

Oba­ma invit­ed a who’s who of cor­po­rate execs to join mem­bers of his cab­i­net to dis­cuss secu­ri­ty and pri­va­cy in the dig­i­tal age. A clear con­sen­sus resound­ed from pan­el dis­cus­sions: cyber attacks by prof­it-mind­ed crim­i­nals and nation-state backed spies have risen to a lev­el where it is not just infra­struc­ture that’s at risk. Iden­ti­ty theft and data breach­es increas­ing­ly under­mine the nation’s every day economy.

Ken­neth Chenault, CEO of Amer­i­can Express, who spoke in sup­port of the President’s call for wider shar­ing, not­ed that the stakes are sky high.

Trust holds soci­ety togeth­er,” Chenault said. “Cyber­se­cu­ri­ty and con­sumer pro­tec­tion is real­ly about trust. That’s the bond for all of us and that’s what is very impor­tant about the ten­sions play­ing out now. We have to be very focused on the con­stan­cy of our values.”

Chenault called the new lev­el of infor­ma­tion shar­ing called for by the pres­i­dent a “high val­ue, low cost” way to accel­er­ate basic defens­es against data thieves and cyber spies

Peter Han­cock, CEO of giant insur­ance com­pa­ny AIG, gave an exam­ple of how the insur­ance indus­try could sup­ply infor­ma­tion about best prac­tices used by com­pa­nies that have begun to pur­chase data breach lia­bil­i­ty coverage.

AIG only insures com­pa­nies that have smart data secu­ri­ty poli­cies and defens­es in place. Han­cock said that shar­ing infor­ma­tion about what com­pa­nies are doing to qual­i­fy for data breach insur­ance could help raise the bar for all com­pa­nies, espe­cial­ly for small and mid size businesses.

Get­ting the sim­ple things right sig­nif­i­cant­ly reduces the fre­quen­cy and sever­i­ty of loss events,” Han­cock said. “That’s where we can help spread the word for a more secure data environment.”

Pri­va­cy protections

The pres­i­dent wants to see a cen­tral clear­ing­house for com­pa­nies and gov­ern­ment agen­cies to share data about attacks, as well as the cre­ation of cen­ters where such intel­li­gence can be shared across geo­graph­i­cal regions.

The Depart­ment of Home­land Secu­ri­ty would over­see the for­ma­tion of these clear­ing­hous­es. As stan­dards for shar­ing emerge, they must include pro­tec­tions for pri­va­cy and civ­il lib­er­ties, Oba­ma said.

Last month, the White House pro­posed leg­is­la­tion that would shield com­pa­nies from law­suits for shar­ing cyber­se­cu­ri­ty intel with the gov­ern­ment. And it is present­ly work­ing on draft­ing pri­va­cy rights legislation.

Pri­va­cy groups and Sil­i­con Val­ley com­pa­nies have said they would oppose such leg­is­la­tion for dif­fer­ent rea­sons. Google and Face­book did not attend the con­fer­ence. Apple CEO Tim Cook did, but used his keynote address to pro­mote Apple’s uni­lat­er­al secu­ri­ty ini­tia­tives. Cook made no men­tion on how Apple feels about shar­ing threat intel­li­gence along the lines of what the pres­i­dent wants to see.

Ron Gula, CEO of Ten­able Net­work Secu­ri­ty, said the pri­va­cy sec­tor ought to be sup­port­ive of infor­ma­tion sharing.

This exec­u­tive order rais­es aware­ness for the need to invest more into cyber secu­ri­ty,” Gula said. “Infor­ma­tion shar­ing is not the sil­ver bul­let to our prob­lems, but it’s a good start. It pro­vides orga­ni­za­tions with cen­tral­ized infor­ma­tion that presents real con­text around mali­cious activ­i­ties, which enables them to react faster than they would with­out it.”

Scott Hartz, CEO of cloud secu­ri­ty ven­dor TaaSera, expressed opti­mism that deep busi­ness rival­ries and par­ti­san pol­i­tics can be set aside to respond to the president’s ral­ly­ing cry.

We face a com­mon exter­nal ene­my and are fac­ing a grow­ing cri­sis of epic pro­por­tions,” Hartz said. “The Unit­ed States has always pulled togeth­er in times of need like this. Pro­vid­ed we reach a com­mon under­stand­ing of the prob­lem, I believe the gov­ern­ment and pri­vate sec­tor can reach a rea­son­able accommodation.”

More on emerg­ing best practices

3 steps for fig­ur­ing out if your busi­ness is secure

5 steps to secure cyr­tog­ra­phy keys, dig­i­tal certificates

6 steps for stop­ping hacks via a con­trac­tor or supplier


Posted in Cybersecurity, Data Privacy, News & Analysis