The White House is preparing a new cyber security executive order to improve the sharing of information between companies and government about hacking threats which President Barack Obama will announce at Friday’s cyber security summit in Silicon Valley.
In an event which will open with a speech from Apple chief executive Tim Cook, but not feature the leaders of Google, Facebook or Yahoo, the administration will seek to build a better working relationship on cyber security with the technology companies on the front line of defending against attacks.
The president’s executive action is designed to support the proposals he made to boost cyber defences in his State of the Union speech. It will simplify the bureaucratic process for transferring information about cyber attacks between the private sector and the government, in theory allowing the Department for Homeland Security to do a better job at managing the data on new threats.
However, the executive order will not address the main obstacle to information sharing, which has been the fear among companies that they could be sued for handing over sensitive customer data to the government. Congress has debated a number of bills in recent years that would provide liability protection to companies. However, no piece of legislation has yet been approved.
While Mr Obama’s cyber security push has been welcomed by the tech industry, he is facing some of the same suspicions over the privacy of online data that were highlighted by the Edward Snowden revelations about the NSA in 2013.
Asked on Thursday at a press briefing whether the White House regarded the absence of a number of chief executives from the summit as a snub following the NSA controversy, deputy press secretary Eric Schultz said: “I know that some companies are sending different representatives, but we are pleased at their participation.” Those attending included leaders in the tech sector, privacy advocacy, academia and business.
He added: “Some of the commitments that are going to be announced over the next day or so are pretty significant.”
In his State of the Union speech last month, Mr Obama again urged Congress to take up the information-sharing legislation.
Michael Daniel, special assistant to the president and cyber security co-ordinator, said the order was not intended to remove the need for legislation on information sharing, which could be far more extensive. He said it would “support” the legislative package rolled out this year and make it “easier’ for Congress to pass it.
Mr Obama is hosting the cyber security summit at Stanford University on Friday. He is reaching out to technology companies to find ways to improve cyber security in the wake of high-profile attacks such as the security breaches at Sony Pictures, health insurer Anthem and several large retailers.
“The summit is really an opportunity to take stock,” Mr Daniel said. “Cyber space needs to be a strategic asset not only for the US but the world as a whole, as a driver of economic growth, a promoter of human right and other growth online.”
Jeff Zients, director of the national economic council, said that cyber security had become not just a “cost of doing business” but also a “cost of staying in business”.
But he added the message was not just negative. “We have an opportunity to turn cyber security into a source of advantage,” he said. Good security would mean businesses around the world continued to store their data with American companies, use American banks and depend on American smartphones.
Technology companies, banks and healthcare providers are among the corporations pledging to take steps to improve security. Areas that will be addressed include payments systems, multi-factor authentication, which asks users to prove their identity with more than just a password, and supply chain security, a particular area of vulnerability that was highlighted in the attack on US retailer Target.
Many industries share threat intelligence through independent bodies called Information Sharing and Analysis Centers and these organisations often co-ordinate with the government. The new executive action could streamline this process, enabling large corporations to communicate directly with the Department for Homeland Security.
The administration announced a new cyber threat intelligence integration centre earlier this week, modelled on the National Counterterrorism Center established in the wake of the 9/11 attacks.
Sharing threat intelligence
Hackers may share and trade information on underground markets but companies and governments have been slow to co-ordinate their threat intelligence in a fast and easy way. Cyber security companies including FireEye, Crowdstrike and the Cyber Threat Alliance (which includes Palo Alto Networks, Symantec, Intel Security and Fortinet) will announce new information-sharing organisations and frameworks.
The president signed an executive order in October 2014 to improve consumer financial protection, launching the ‘Buy Secure’ initiative. On Friday, companies including Visa, MasterCard and Square are making their own commitments to improve the security of payments. Apple is also working with partners to make ApplePay available for users of federal payment cards, which are used by government agencies for procurement and recipients of federal benefits.
The end of the password
Technology and payments companies are announcing new initiatives they hope will help end the password, from multi-factor authentication — when a password is combined with, for example, a code text to a smartphone — to biometrics. Intel and MasterCard are both working on biometrics, such as using facial and voice recognition to identify a customer.
Basic standards in cyber security
Apple, Intel and Bank of America are among the companies committing to using a cyber security framework, which covers basic security practices and how to prioritise spending on cyber security investments. The NIST framework was the result of the President’s executive order on critical infrastructure and cyber security, signed in 2013, originally designed to focus on key utilities and energy companies.
AIG, the insurance company, said it will incorporate the framework into how it underwrites cyber insurance, a nascent area where it is often difficult to calculate risk.
Source: Hannah Kuchler. FT
Join the fight against cyber crime and become part of a fast-paced and exciting industry. Click here to see the superskilz range of IT Security courses. Give us a call on 020 3393 1234 if you’d prefer to speak with a member of the team or drop us an email at firstname.lastname@example.org. Join the league of superheroes today!