President Barack Obama stressed that government and private industry have a ‘shared mission’ in protecting the nation’s digital infrastructure prior to signing an executive order Friday that streamlines cyber threat information sharing.
The executive order allows for greater collaboration between companies and enables better information sharing while setting guidelines for better privacy and civil liberty protections.
‘This has to be a shared mission,’ Obama told a crowd at Stanford University during the White House’s Cybersecurity Summit. ‘So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats. There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.’
The order calls for the development of information sharing and analysis organizations, or ISAOs, that will be allowed to better collaborate with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, or NCCIC. It also would create clearances for private companies to access classified information that was not previously shared in public-private partnerships.
Dave Frymier, chief information security officer for Unisys corp., told FedScoop the government’s willingness to share classified cyber information is a ‘significant’ change from the current cybersecurity landscape.
‘The government has access to so much relevant indicator information that they haven’t exposed to us that would be really useful to know,’ Frymier said. ‘They have a lot of information that’s classified because they feel if they had revealed this information, it would expose information about the techniques and procedures they used for obtaining it. I think what [the government] has decided now is the value of making this information available to industry, so that industry can act on it, is greater than the value of concealing how they might have obtained the information.’
Over the course of the summit, a number of top administration officials and private CEOs talked about how they plan to leverage that new found information while also ensuring the privacy of their customers’ data.
American Express Chairman and CEO Kenneth Chenault said that the country needs to focus on a ‘constancy of values’ when dealing with the growing number of attacks.
‘We cannot allow this threat to change the constancy of values that are so essential to the future of this nation,’ Chenault said during a panel discussion.
Apple CEO Tim Cook also stressed the need to safeguard users’ privacy and security, telling the audience that ‘we must get this right.’
‘If we don’t do everything we can to protect privacy, we risk more than money. We risk our way of life,’ Cook said. ‘History has shown us that sacrificing the right to privacy can have dire consequences.’
A number of companies and organizations involved in the summit announced measures they will be rolling out to protect both user privacy and security, including Apple, Visa, MasterCard, and U.S. Bank. Heads of companies also spoke about how they have been integrating the National Institute of Standards and Technology’s cybersecurity framework over the past year, and how the framework will evolve as threats evolve.
‘It’s a really good first step,’ said MasterCard CEO Ajay Banga. ‘What you’ve got is a Rosetta Stone for everyone to talk the same language. Which, a little while ago in cybersecurity, we were not all talking the same language.’
However, Banga and his co-panelists agreed they would like to see new versions of the framework released based on the feedback provided by private companies.
‘We can’t sit on this right now,’ Banga said. ‘The other guys are moving way too fast. The guys you are trying to protect your system from are moving every day, every minute. Right now, there are people trying to hack into our companies. One of those idiots might succeed. That’s the most fearful part.’
Frymier told FedScoop he agreed that the framework should be updated as more information becomes available.
‘There are some things that are redundant, there are things that don’t seem to make sense, there are things that are probably missing,’ Frymier said. ‘Just like anything, the apple can be polished there.’
However things evolve, everyone in the room Friday seemed to be on the same page that more needs to be done – and be done quickly.
‘The real challenge is getting ahead of where the threat is trending,’ said Lisa Monaco, the assistant to the president for homeland security and counterterrorism. ‘To handle the security of the vast cyber ecosystem, the government and private sector have to work together. We have an unprecedented opportunity to move forward together.’
You can read the full executive order below.
Executive Order — Promoting Private Sector Cybersecurity Information Sharing