Obama signs executive order on sharing cybersecurity threat information

Washington Post – by Katie Zezima

PALO ALTO, Calif. – President Obama signed an executive order Friday that urges companies to share cybersecurity-threat information with one another and the federal government.

Obama signed the order, which is advisory in nature, at the first White House summit on Cybersecurity and Consumer Protection at Stanford University here. The summit, which focused on public-private partnerships and consumer protection, is part of a recent White House push to focus on cybersecurity.  

Obama said the prospect of cyberattacks are one of the nation’s most pressing national security, economic and safety issues. The specter of a cyberattack crippling the nation’s air traffic control system or a city with a blackout is real, and hacks such as the one on Sony Pictures last year are “hurting America’s companies and costing American jobs.” He also said they are a threat to the security and well-being of children who are online.

“It’s one of the great paradoxes of our time that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm,” Obama said before a cheering, friendly audience here at Stanford’s Memorial Auditorium.

The order the president signed here encourages the development of central clearinghouses for companies and the government to share data and creation of centers where data can be shared across specific geographic regions. Obama pushed for collaboration between the public and private sectors.

“There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners,” he said.

The order is part of a broader White House effort to beef up the nation’s cybersecurity infrastructure, something the administration wants to push on Capitol Hill. Last month Obama proposed legislation that would shield companies from lawsuits for sharing threat data with the government. Last month he

Obama said shortly after he took office he realized that cybersecurity is “one of the most serious economic national security challenges that we face as a nation” and made confronting them a priority. Obama has signed other executive orders, including one that calls for the creation of voluntary standards to bolster the security of computer networks in critical industries and a framework for cybersecurity and another last year to protect consumers from identity theft. So far nothing has been able to stem the tide of attacks such as the one against Sony or others against retailers including Home Depot.

Both privacy groups and Silicon Valley companies have said they would oppose the legislation Obama proposed last month unless reforms are first made to the NSA’s surveillance program.

U.S. government surveillance activities have been seen as a potential liability for tech companies that operate globally.

“Seventy to 80 percent of the user bases for a lot of these companies are the foreigners who get very little protection under our system,” explained Julian Sanchez, a senior fellow focused on technology and civil liberties at the Cato Institute. “If they don’t display some push back, they know they won’t do very well with those markets.”

In December of 2013, major tech companies including Apple, Google, Twitter, Facebook, Microsoft and Yahoo joined together in the Reform Government Surveillance coalition, urging the President and Congress to impose restrictions and oversight measures on U.S. spying programs.

The President agreed in principle to some limits on spying programs, including the bulk collection of domestic phone records, during a speech last year. But progress on reforms has been too slow for some privacy advocates, as the administration urged for legislative action that has yet to succeed.

Tech companies, meanwhile, have taken some measures into their own hands by strengthening and expanding their deployment of encryption to secure users’ online activities – setting up a conflict between the companies and law enforcement who warn that such actions may make it harder for them to pursue crime and terrorism which increasingly includes a digital component.

“I think it’s fair to say that changes on the technology front have outpaced governmental and legislative efforts,” said Andrew Crocker, a legal fellow at civil liberties group the Electronic Frontier Foundation.

Obama addressed privacy concerns in his speech, calling himself someone who “deeply values his privacy and his family’s privacy – although I chose the wrong job for that.” He described a difficult balancing act the government must go through to both protect its citizens and ensure their privacy.

“I have to tell you that grappling with how government protects the American people from adverse events while, at the same time, making sure that government itself is not abusing its capabilities is hard,” he said. “The cyber world is sort of the wild, wild West.  And to some degree, we’re asked to be the sheriff.”

At the same time, people “rightly ask” what safeguards they have for their privacy, which is difficult because technology often outpaces rules that have been put in place.

The government has to be “constantly self-critical and we have to be able to have an open debate about it,” he said.

The CEOs of companies including Google and Facebook did not attend the summit, though Apple CEO Tim Cook did. Obama had lunch with a number of business leaders, including Cook, American Express CEO Kenneth Chenault and Renee James, president of Intel.

Speaker Boehner’s office was critical of Obama’s order. “Unilateral, top-down solutions will not solve America’s cyber problems,” said Boehner spokesperson Cory Fritz. “The President should work with Republicans to enact the types of common-sense measures that passed the House twice in recent years with strong, bipartisan majorities but stalled in the Democratic-controlled Senate.”

The order would put the Department of Homeland Security in charge of approving and making sure companies can access the information sharing programs and analyses of cybersecurity threats.  It will also allow the National Cybersecurity and Communications Information Center to enter into agreements with the organizations, which have yet to be developed. Companies including the Cyber Threat Alliance and Entertainment Software Association will announce they will build programs using the parameters of the executive order.

A number of companies announced Friday that they are incorporating the administration’s cybersecurity framework, which was created after a 2013 executive order, into their companies. The framework helps businesses decide how to use cybersecurity investments, ways to implement cybersecurity for new companies and measure their programs against others. Intel, Apple and Bank of America use framework and will announce that they will require all vendors to use it. Both QVC and Walgreens will say they will employ the framework in their risk management practices, while Kaiser Permanente will commit to using it as well.

Businesses will also announce secure payment programs at the conference. MasterCard will put more than $20 million into new cybersecurity initiatives, Visa will commit to tokenizing credit cards and Square, along with the Small Business Administration, will work with small businesses to encourage them to use secure payment technologies. Companies will also announce that they are moving toward multi-factor authentication, which uses a number of steps to ensure that the person paying with a credit card is the authorized user.

The event will also include a push for greater transparency when it comes to credit scores. Nationstar, working with FICO, will announce it will make credit scores available to their customers for free by the end of the year.

Juliet Eilperin and Andrea Peterson contributed to this report.

http://www.washingtonpost.com/blogs/post-politics/wp/2015/02/12/obama-to-sign-executive-order-on-cybersecurity-threats/