Continuing his push for stronger cyber security and his willingness to use executive authority to jumpstart security initiatives, as anticipated President Obama signed an Executive Order (EO) Friday meant to urge organizations to share cyber threat intelligence with each other and government.
Noting in a speech at the Cybersecurity and Consumer Protection Summit at Stanford University, that “it's not appropriate or even possible for government to secure the computer networks of private businesses,” Obama said the only way to defend the country from cyber threats is "through government and industry working together, sharing appropriate information as true partners.”
The EO calls for the creation of information sharing and organizations (ISAOs) where threat intelligence could be shared among companies and the Department of Homeland Security (DHS) as well as voluntary information standards for industry to follow.
The EO will also give DHS the “authority to enter into agreements with information sharing organizations,” according to information released by the White House in preface of the summit.
Larry Clinton, head of the Internet Security Alliance (ISA), reaffirmed in a statement ISA's belief that “the President's EO is the single most visionary statement of any world leader on cyber security, and we made great progress in the first step, which was the NIST framework.”
The president's call to action drew a metaphoric round of applause from many in the security industry, business and government as a clear step in the right direction to bolster the country's cyber resilience and help companies better fend off the kind of attacks that felled Sony Pictures, Home Depot and others. But it also raised a bevy of concerns, chiefly among them, the likelihood of increased government spying and how shifting regulations would affect companies' own policies.
Frank Keating, president of the American Bankers Association, issued a statement praising “the steps taken by the administration today,” saying it would “help the business community and government agencies share critical threat information more effectively.”
Financial institutions have been particularly hard hit by cyber-attacks and Keating expressed the need for helping “businesses improve their awareness of threats and enhance their response capabilities.”
No doubt, it was both symbolic that the White House chose Silicon Valley as the locale to hold the summit, which featured Apple, Inc. CEO Tim Cook as the morning keynote speaker, and unveil the EO.
The government DHS has been spending a lot of time trying to both raise cybersecurity awareness with the public and woo firms in that tech-rich area and seize on their innovation, to modernize government's cybersecurity stance.
In an interview with SC Magazine last fall, Phyllis Schneck, deputy under secretary for cybersecurity for the National Protection and Programs Directorate (NPPD), the chief cybersecurity official for the U.S. DHS, said her agency wanted “to combine the policy developed on the East Coast with open creativity out West.”
But some are claiming that it is equally symbolic and could indicate a sticking point that many of the major technology companies like Facebook and Google didn't send their CEOs to the summit.
While Facebook demurred that CEO Mark Zuckerberg had other plans and it would be sending another exec to participate in one of the day-long gather's panels, many believe the companies, who have been vocal critics of government surveillance, are showing their displeasure with what they see as government overreach.
While private to private information-sharing is nothing new, Ari Schwartz, senior director for cybersecurity at the United States National Security Council Staff told an audience at SC Congress in Chicago in November that companies may still be hesitant to share information with competitors. Likewise, private companies have not wholly trusted government to protect information it receives from them, protect it and use it properly.
But government is going to need the support of Silicon Valley firms if it is to achieve its cybersecurity aspirations, particularly persuading Congress to pass legislation, as the White House has urged.
Saying the EO “is being done in lieu of a cybersecurity act being passed by Congress,” French Caldwell, former Gartner vice president and fellow and now chief evangelist at MetricStream, mused in a Friday email correspondence with SCMagazine.com that it raises a question of whether “this Executive Order actually advances getting a bill through Congress or does it cause delay because Congress can say that the president already did something under his existing legal authority?'”
The order certainly “doesn't address what was in the [2012] cybersecurity act” that failed to make it through Congress, Caldwell said, noting that it is both “extraordinarily narrow in scope” and that “there are lots of words like ‘voluntary' in it.”
With large and damaging breaches at Sony and Anthem “still fresh in mind,” Caldwell said “the time to strike to bring the Right and Left sides together is right now.”
