Nine Takeaways From the White House Cyber-security Summit

by Chris Preimesberger

President Obama said in his remarks Feb. 13 that cyber-security-related terrorist threats to governments and companies have increased fivefold since 2009. He specifically mentioned the Sony Pictures hack of last fall. He also noted that more than 100 million businesses and individuals were hit by online-related fraud or theft in 2014 alone. “No company has ever said they worked too hard to protect their systems and customers,” Obama said.

The president’s executive order of Feb. 13 identifies best practices and standards for what constitutes optimal information-sharing units within vertical industries, and measures the effectiveness of communication. These units, called hubs, are designed to create industry-driven, cyber-security information-sharing networks before breaches happen, so when intruders do hit one of the members, faster reaction and containment can take place. Some of these hubs are already in operation.

J. Michael Daniel, cyber-security coordinator at the White House, told eWEEK: “We’re not going to solve all of the really sophisticated actors or defeat all the advanced persistent threats just by increasing information sharing. But we have seen industries that have increased their information sharing—such as in the financial services industry—and that does make a meaningful difference in being able to cut out a lot of the low-level attacks and intrusions. When you do that, then you can focus your humans on the more sophisticated intruders. I see this as a sort of baseline for us just to stay in the game.”

Ken Xie, CEO of Fortinet and a summit panelist, told eWEEK: “The biggest obstacle is that our industry is extremely short-handed: It’s estimated we can only fulfill one in every 20 technology positions needed in the cyber-security space. Who will mitigate the threat? Where and who are the cyber-SWAT teams? Who will train the responders? These questions remain unanswered.”

Phil Smith, Trustwave senior vice president of government solutions and special investigations, said during a panel discussion that “cyber-security is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection; however, it will not work without safe harbor protections for companies that participate.” However, Smith said, an executive order can only go so far. “It takes congressional action to mandate information sharing on a national level that includes liability protection,” he said.

Ryan Gillis, vice president of government affairs and policy at Palo Alto Networks and a former White House cyber-security official, told eWEEK: “The way that privacy, security and business interests all interact and mutually reinforce each other—that’s something that’s been missing in the messaging around information sharing in the legislative debates over the last few years. Too often, it’s been [stated] that privacy is at odds with security in business. When you better protect your networks, better protecting me as a consumer and an individual, and as a company that’s better protecting my customers, I have a better relationship because I’m not issuing data breach notifications to them that we’ve lost your Social Security number [to a hacker].”

“The cyber-world is sort of the wild, wild West, and to some degree, we’re asked to be the sheriff,” Obama said. “When something like Sony [data breach] happens, people want to know, ‘What can government do about this?’ When information is being shared by terrorists, people want us to find ways of stopping that from happening. By necessity, that means government can use its own significant capabilities in the cyber-world. But then, people plainly ask: ‘What safeguards do we have around government intruding on our own personal privacy?’ It’s hard. Government has to be continuously self-critical, and we need to continue to have an open debate on this.”

Previously, the president has signed directives involving improving critical infrastructure cyber-security, critical infrastructure security and resilience, and some federal policies in the cyber-security area, but no president has issued an order directing all sectors to share and share alike when it comes to finding out information about national and international bad actors in cyber-security.

Apple CEO Tim Cook, speaking before the president, explained that his company “will never sell our customers’ information to anybody.” He said that the new Apple Pay system, which was introduced last fall and enables iPhone users to conduct point-of-sale transactions without involving an exchange of personal information over the Internet, is “a huge improvement over a little plastic card with a magnetic stripe that we currently use.” Apple doesn’t store a user’s credit card number or purchase history, he said, adding that information is between a person and his/her bank.