STANFORD, Calif.—President Obama’s visit here Feb. 13 at the White House Summit on Cybersecurity and Consumer Protection was a high-visibility indicator that the federal government has made cyber-security a national security and public safety issue—and one in which private enterprise is sorely needed to provide innovation against an increasing number of cyber-attackers.
“We have a lot more work to do to solve these [data breach] problems, which are causing billions of dollars’ worth of loss in our economy each year,” Obama said. “We need all of us to work together to achieve what none of us can achieve alone. And it’s hard. Some of these issues have defied solutions for years.”
Before a capacity audience of Silicon Valley executives, invited guests and members of the media, the president signed and enacted an executive order for this back-channel information-sharing cooperation to actually get moving in real time. The order asks organizations to invest in improving cyber-security defenses, become proactive in helping each other out when crises arise and not be shy about asking the federal government for assistance.
‘Privacy, security, business interests mutually reinforce each other’
Ryan Gillis is vice president of Government Affairs and Policy at Palo Alto Networks and former director of Legislative Affairs and Cybersecurity Policy for the National Security Council, based at the White House. Gillis, who was at the Feb. 13 event, told eWEEK that “the way that privacy, security and business interests all interact and mutually reinforce each other—that’s something that’s been missing in the messaging around information sharing in the legislative debates over the last few years.
“Too often it’s been pitted that privacy is at odds with security in business. Overwhelmingly, when you better protect your networks, better protecting me as a consumer and an individual, and as a company that’s better protecting my customers, I have a better relationship because I’m not issuing data breach notifications to them that we’ve lost your Social Security number [to a hacker].
“Helping drive that there is overwhelming commonality among those three interests will be of tremendous benefit,” Gillis said.
Matt Loeb, CEO of ISACA, a global industry association of 115,000 cyber-security, IT governance and assurance professionals, was a panelist at the event. He told eWEEK via email that “President Obama’s address strongly reinforced the purpose of the summit. Collaboration between the private and public sectors, including the need for real-time information sharing, is critical to addressing the cyber-security challenges we face.”
‘Cyber-security is a matter of public safety’
“Protecting the privacy and civil liberties of the American people is critically important. However, cyber-security is a matter of public safety. Protecting privacy starts with good security. Substantially greater investments in technology and in the training of new cyber-security professionals is paramount,” Loeb said.
“Cyber-security is everyone’s business. Beyond the training of new cyber-security professionals, having more cyber-aware consumers can be of help in curbing today’s cyber challenges. More significant public awareness campaigns are needed.”
How Cyber-security Leaders Evaluate White House Strategy
Ken Xie, CEO of Fortinet, also a summit panelist, told eWEEK that “the biggest obstacle is that our industry is extremely shorthanded: It’s estimated we can only fulfill one in every 20 technology positions needed in the cyber-security space. Who will mitigate the threat? Where and who are the cyber-SWAT teams? Who will train the responders? Answers to these questions remain unanswered.
“There are also opportunities within the industry to enact standards that could better ensure the efficacy of solutions and those who implement them. Going back to the lack of human resources with technical expertise in the field, many … professions that are expected to hold a high level of expertise like lawyers, doctors and architects require higher education and post-graduate degrees,” Xie said.
“At Fortinet, we developed our rigorous Network Security Expert (NSE) program to independently certify the experience and expertise of our customers, partners and employees. There is definitely an opportunity for more formalized and broader cyber-security education that could encourage more students to become security experts and also set standards that organizations can use as an indicator of expertise.”
More needed on minimum standards
Xie believes that more can be done to set minimum standards or independent validation of security solutions within the cyber-security industry.
“Right now there are few ways to validate the effectiveness of any particular solution. That’s a reason that we work to get our products validated by an independent organization like NSS Labs, as an example, to really prove that our products are effective. … The actions that President Obama spoke to today are definitely a step in the right direction,” Xie said.
During the Feb. 13 event, Trustwave Senior Vice President of Government Solutions and Special Investigations Phil Smith participated in a task force in Washington, D.C., alongside Secret Service, FBI and other cyber-security industry leaders. Together they watched the president’s speech and other speakers.
President’s remarks ‘a great beginning’
“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber-arms race,'” Smith said in an email to eWEEK. “That statement is significant because it puts organizations and individuals on notice that cyber-security is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection; however, it will not work without safe harbor protections for companies that participate.”
An executive order can only go so far, Smith said. “It takes congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful,” Smith said.
“When organizations share information, they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”