On Feb 13, President Obama concluded a week-long Cybersecurity push with a summit at Stanford University, attended by senior government officials and top executives from private industries. The CEO of Apple, Bank of America, America Express, AIG, MasterCard, PayPal, Visa, and the president of Intel spoke at the event.
The summit came at the wake of a succession of large data breaches and amidst a growing recognition that organizations need to rethink their cyber security defense and the role government can play…
Below is a list of the top discussion points at the summit and CipherCloud’s analysis.
The formation of Cyber Threat Intelligence Information-sharing Center (CTIIC)
Mr. Obama announced at the summit the creation of the Cyber Threat Intelligence Information-sharing Center (CTIIC). This will be a single entity that coordinates the bi-directional information flow between the private sector and government. The president made a strong argument for such an office, arguing for rapid threat intel sharing among different agencies and private entities to improve response and recovery from cyber incidents. The center will also help enhance international cooperation. Bernard Tyson, Chairman and CEO of Kaiser Permanente, echoed the President’s sentiment. Mr. Tyson said: “Protecting patient information is our utter most important task”, and for that, “Threat info sharing has become a priority for our board.”
Later that day, Obama signed an executive order to promote information sharing between public and private sector hubs. The executive order calls for the Department of Homeland Security to coordinate sharing programs and promote regional threat intelligence clearing houses for the private sector.
Our analysis: While information sharing has seen significant success in the private sector, FS-ISAC as an example, there has not been a single, coordinated effort for threat information sharing between the private and the public sector. CTIIC will provide a central place where such sharing can take place.
For this effort to be successful, there has to be an open and transparent partnership between the two sectors. More importantly, as Nuala O’Connor, president and CEO for the Center for Democracy and Technology pointed out, we need to take a respectful and legitimate position for the use of information.
President Obama’s last executive order on Cybersecurity (issued two years ago), which also encouraged information sharing, fell short in providing any incentive for private companies to partake in information sharing with the government. See my earlier analysis on Forbes.com. This time around, Obama proposed liability protection for companies when they share information to address cyber threats. Though this proposal needs Congress approval, many see this as a positive step in concrete incentives to encourage two-way information sharing.
Business leaders may be reticent to engage with federal government for fear of increasing regulatory burdens and the perception that they aid government data collection, especially in the wake of Edward Snowden. But the widely-attended summit showed private industries recognize the role the government can play in the war against cyber crime — just as in the physical world, where no individual company is expected to fight organized crime alone, no one should face organized cyber crime alone.
Data protection & encryption
Data protection was front and center in the discussions, even though no specific legislation or initiatives were proposed on the subject. Obama, in his address, stressed the importance to protect consumer data. Ajay Banga, President and CEO of MasterCard, noted that MasterCard is moving towards tokenization of payment card information – instead of the actual credit card number, a one-time token is used for each payment transaction. Both Applepay and Bank of America utilize similar technologies to guard against credit card thefts.
The summit occurred at a time when technology giants like Apple and Google are locked in a feud with the federal government regarding access to encrypted data on smartphones. Apple and Google’s latest technologies encrypt data on the phone with the user’s passcode, which effectively locks third party, including the government and Apple, from accessing the data.
Apple CEO Cook, in his speech at the summit, reiterated Apple’s effort to build privacy and security into the fundamental designs of their products. FBI Assistant Director, Joe Demarist, Jr., however, renewed his ask for Congress to pass legislation mandating companies provide government “back-door” access to encrypted data on devices.
Our analysis: Apple’s position, shared by Google and a few others, effectively puts consumer’s need for security and privacy beyond government’s need to access data. While consumer privacy advocates welcome such methods, in practice we need to balance the competing interests between national security and consumer privacy.
What we need is technologies that will allow law enforcement access to information that it needs, such as attestation that the data in question does not constitute money laundering or terrorist threats without revealing what the data is. Such technologies, along the lines of zero-knowledge proof, exist today in limited forms (see my piece on zero-knowledge data). More research and development is needed to expand these technologies into mainstream use cases.
Secure payment & biometrics
Obama announced that Visa, MasterCard, and American Express will participate in a “Buy Secure” initiative, backed by the administration. There was a general recognition at the summit that the industry needs to move beyond current technologies, in particular, static passwords, to secure electronic payment.
The secure payment panel discussed biometrics as an example technology to proliferate beyond passwords. MasterCard announced plans to invest $20 million on Cybersecurity protection and will launch a pilot program to use biometric data to authenticate transactions. Renee James, the president of Intel, also discussed the importance of built-in biometrics and multi-factor authentication. The federal government will accept Apple Pay, which already uses fingerprint biometrics with the Secure Element on the phone.
Our analysis: Plenty has been written on why relying on passwords alone is a bad idea. While no one is disputing that, the password remains the most economical, scalable, and user-friendly (yes, even with all the efforts of remembering different passwords for different services) interface for authentication. What often breaks down is the other parts associated with user authentication: When Alice logged in from a foreign IP address and transferred $2M to an account in Russia where she has never been before, perhaps the system should throw an alarm, even if the right password was used in the login. If we focus solely on getting rid of passwords but fail to improve the related processes, no amount of biometrics can help.
Two interesting initiatives discussed at the Summit were MasterCard Safety Net and Apple Pay. The former proposed to use data and analytics to monitor transactions, thereby providing an additional layer of protection. Apple Pay, which already uses biometrics in conjunction with user passcode, was able to turn mobile pay into an easy-to-use service that gets most of the related processes right.
With the focus on security, the future of mobile payment is bright. This, in turn, will enable more apps and services to be provisioned quickly for consumer uses, including transportation, food delivery, medicine, and many more.
As Ken Chenault, Chairman and CEO of American Express said eloquently, “’Trust’ is what holds a society together. A society needs to rely on a constancy of values such as trust, service, and integrity.” Cyber threats are beginning to erode this constancy of values, which can shake the very foundation of modern society. We, as a society, must unite and respond.
The initiatives set forth by the Obama administration, including the CTIIC, the Executive Order of information sharing, and the Buy Secure program, represent a few concrete steps to enhance collaboration between the private sector and the government. In the big picture, however, information sharing is just one piece of the puzzle. Much is needed to bolster cyber security practices across different industries.
Cybersecurity is one of those bipartisan issues that both Republicans and Democrats can get behind. Will his initiatives become part of Mr. Obama’s presidential legacy? Only time will tell.