STANFORD, Calif.—Since the current president took office in 2009, the U.S. federal government has been pushing buttons to promote cooperation among law enforcement, the military, the private sector and its own agencies to band together and share information in order to stop—or least slow down—the increasing number of security breaches happening in the world.
Cyber-security problems are running amok, with theft and fraud causing billions of dollars in losses to business and individuals. So this is certainly a tall order. But talk is moving to action. On Feb. 13, the White House enacted an executive order for this back-channel cooperation to actually get moving in real time.
The order is nowhere near a law or regulation; it’s merely a strong suggestion from the leader of the free world for organizations to invest in improving cyber-security defenses, become proactive in helping each other out when crises arise and not be shy about asking the federal government for assistance.
Obama Calls for Password Workaround
Keynoting the first White House Summit on Cyber-Security and Consumer Protection here at Memorial Auditorium on the Stanford University campus, President Barack Obama signed the order before a capacity audience of Silicon Valley executives, invited guests and members of the media.
“We have a lot more work to do to solve these problems, which are causing billions of dollars’ worth of loss in our economy each year,” Obama said. “We need all of us to work together to achieve what none of us can achieve alone. And it’s hard. Some of these issues have defied solutions for years.
“For example, we need to better authenticate user identities because it’s just too easy for hackers to figure out user names and passwords … like ‘password’ or ‘1-2-3-4-5 … 7.’ Those are some of my previous passwords,” the president joked. “But I’ve changed them since then!”
The White House strategy includes starting up new information-sharing groups, called hubs, which are built around vertical industry sectors. The idea is to create industry-driven cyber-security information-sharing networks before breaches happen, so when intruders do hit one of the members, faster reaction and containment can take place. Some of these hubs are already in operation, Obama said.
Order Is a ‘Necessary Precondition’ for Cyber-security Success
“This is a necessary precondition to tackling our cyber-security problems,” J. Michael Daniel, cyber-security coordinator at the White House, told eWEEK. “We’re not going to solve all of the really sophisticated actors or defeat all the advanced persistent threats just by increasing information sharing. But we have seen industries that have increased their information sharing—such as in the financial services industry—and that does make a meaningful difference in being able to cut out a lot of the low-level attacks and intrusions. When you do that, then you can focus your humans on the more sophisticated intruders.
“I see this as a sort of baseline for us just to stay in the game.”
The order, Daniel explained, specifically recommends the following:
1. It identifies best practices and standards for what constitutes optimal information-sharing units within vertical industries, and measures effectiveness of communication.
2. It fixes some internal communications within the federal government to make it clear that the part of the Department of Homeland Security that deals with cyber-security has the appropriate accesses to various other agencies when it comes to protecting critical infrastructure security.
3. It fixes an outdated executive order that deals with industrial security clearances in order to communicate with the private sector more effectively.
In his 22-minute address, the president called on all organizations and individuals who use the Internet —which is now about 98 percent of the world —to revisit their current security safeguards, become more aware of how intrusions can happen and help others when called upon.
President Issues Executive Order for Unity in Cybersecurity
Cyber-world: ‘The Wild, Wild West’
“The cyber-world is sort of the wild, wild West, and to some degree, we’re asked to be the sheriff,” Obama said. “When something like Sony [data breach] happens, people want to know, ‘What can government do about this?’ When information is being shared by terrorists, people want us to find ways of stopping that from happening. By necessity, that means government can use its own significant capabilities in the cyber world.
“But then, people plainly ask: ‘What safeguards do we have around government intruding on our own personal privacy?’ It’s hard.”
Government has to be continuously self-critical, Obama said, “and we need to continue to have an open debate on this.”
The Feb. 13 executive order is the latest instantiation of the Obama administration’s cyber-security strategy, the priorities of which are:
–protecting the country’s critical infrastructure—our most important information systems—from cyber-threats;
–improving the ability to identify and report cyber-incidents so that we can respond in a timely manner;
–engaging with international partners to promote Internet freedom and build support for an open, interoperable, secure and reliable cyber-space;
–securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets; and
–shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector.
Previously, the president has signed directives involving improving critical infrastructure cyber-security, critical infrastructure security and resilience, and some federal policies in the cyber-security area, but no president has issued an order directing all sectors to share and share alike when it comes to finding out information about national and international bad actors in cyber-security.
Cook Talks Up Apple Pay
Before the president’s appearance, Apple CEO Tim Cook used his several minutes onstage to explain, among other things, how his company “will never sell our customers’ information to anybody.” Of course, that’s not the business Apple conducts.
He offered an overview about security features in the new Apple Pay system, which was introduced last fall and enables iPhone users to conduct point-of-sale transactions without involving an exchange of personal information over the Internet.
Cook called Apple Pay “a huge improvement over a little plastic card with a magnetic stripe that we currently use.” The company doesn’t store a user’s credit card number or purchase history, he said, adding that information is between a person and his/her bank. In addition to applause over the company’s commitment to keeping financial and health information secure and private, Cook received cheers when he talked about the company’s commitment to the environment.
IT-sector CEOs, company presidents or founders on stage at the conference included Cook, Aaron Levie of Box, Michelle Zatlyn of CloudFlare, Dan Schulman of PayPal, Renee James of Intel, Michael Brown of Symantec, Kevin Mandia of FireEye, Stina Ehrensvard of Yubikey, Blake Hall of ID.me and Mark McLaughlin of Palo Alto Networks.
Chief security officers on hand were Scott Charney of Microsoft, Eric Grosse of Google, Melody Hildebrandt of Palantir, Alex Stamos of Yahoo and Joe Sullivan of Facebook.
Non-IT executives included Kenneth Chenault, chairman and CEO of American Express; Bernard J. Tyson, chairman and CEO of Kaiser Permanente; Anthony Earle, Jr., chairman and CEO of Pacific Gas & Electric; Ajay Banga, president and CEO of MasterCard; Peter Hancock, president and CEO of AIG; Brian Moynihan, chairman and CEO of Bank of America; Richard Davis, chairman and CEO of US Bank; Mike George, CEO and president of QVC; Alexander Gourlay, president of Walgreens; and Charles Scharf, CEO of Visa.