A White House-led conference next week that will include government, industry, and other organizations presents an opportunity to move the existing foundation around cyber security forward, the Obama administration’s senior official in charge of coordinating cyber efforts said on Thursday.
“And so what we really want to talk about at the summit is how do we actually take the foundations that we’ve been building in this administration and really go those next few steps,” Michael Daniel, special assistant to the president and Cybersecurity Coordinator at the White House, said during a webinar hosted by the media services company Bloomberg Government. “What does it actually mean, for example, to be a consumer facing business and really have good cyber security? What does that actually look like? If you’re a startup, what does it actually mean to bake cyber security in at the very beginning to protect your intellectual property?”
The White House Summit on Cybersecurity and Consumer Protection next Friday at Stanford Univ. in California will include a wide range of industries and private sector entities, senior federal officials, and representatives from law enforcement, consumer advocacy groups, technical experts and students. The White House announced the summit last month in conjunction with President Obama’s new legislative proposal to strengthen information sharing between the private sector and the Department of Homeland Security’s around-the-clock cyber watch command, the National Cybersecurity and Communications Center.
The new proposal and call for the summit came on the heels of a malicious computer attack against the United States-based movie division of Japan’s Sony Corp. that was disclosed in November. That attack resulted in compromised emails and other personal information at Sony Pictures Entertainment, the shut down of computers, the theft of movies, and caused the company to withhold release of a satirical movie about CIA-led assassination of North Korea’s leader. The Obama administration in December blamed North Korea for the cyber attack on Sony.
Daniel said that tackling cyber security issues is “a hard problem” that goes well beyond technical challenges, noting that it requires a broad-based approach that will have “to change an entire ecosystem that has been built up.” He said he wants a more detailed discussion about information sharing and explore the “granular set of fields that we want to be sharing,” what the privacy concerns are in these fields, how to better build private-public partnerships to strengthen cyber security, and examine international norms of behavior in cyber space.
To encourage more voluntary sharing by the private sector with the NCCIC about the cyber threat indicators companies are seeing in attacks on them, Obama’s legislative proposal calls for targeted liability protection for these companies. Industry officials believe this incentive will help foster greater information sharing and even provide an impetus to companies to take steps to further bolster their cyber security postures.
Congress this year is expected to take up various legislative proposals also aimed at strengthening information sharing and cyber defenses. Daniel said he is an optimist regarding movement on these bills but said developing the right laws to promote this sharing is difficult.
“You have to give companies enough assurances that they will share more than they are currently able to or willing to in most cases with the federal government,” Daniel said. “But at the same time we cannot introduce a situation where we are actually ironically encouraging underinvestment in cyber security because that would be a totally perverse outcome.”
On Monday Daniel posted in the White House Blog that so far the private sector believes that the best incentives to strengthening their cyber defenses are market-based. Still, he wrote, “the government must be willing to step in and incentivize best practices when private market incentives prove insufficient to achieve an appropriate level of cybersecurity.”
These include streamlining regulations, identifying key priorities for research and development to strengthen cyber security, and improving federal procurement practices to account for cyber risk management as part of the acquisition process. Daniel also mentioned other possible incentives such as incorporating an existing voluntary cyber best practices and standards framework into agency grant guidance, as well as recommendations for “process preference, and cost recovery for price-regulated industries.”
Daniel said in the blog that one incentive that isn’t forthcoming from the federal government is “seal of approval” recognition of companies take the right steps around their cyber practices. He said that this decision is based on feedback from the critical infrastructure community and that such recognition “would likely reduce the flexible use of the Framework.”
The administration in February 2014 published a the Cybersecurity Framework, which was a federally-managed effort in close cooperation with the private sector, in particular the critical infrastructure owners and operators, to bring together existing best practices and standards that can be widely adopted for boosting cyber defenses. Adoption of the framework is voluntary and is meant to be a living document that will be updated over time.