On February 13, 2015, the White House held its first Summit on Cybersecurity and Consumer Protection at Stanford University. The Summit convened leaders from the federal government, business sector, technology industry, law enforcement, academia, and law not only to celebrate accomplishments in cybersecurity, but also to discuss opportunities for improvement in the cybersecurity and data privacy space. The Summit showcased panel discussions addressing a myriad of issues including public-private collaborations and partnerships in cybersecurity, improvements in cybersecurity practices at consumer oriented businesses and organizations, and the adoption of more secure payment technologies. There were also a number of break-out sessions regarding cybersecurity information sharing, international law enforcement cooperation, improving authentication, and new ideas on technical security. President Barack Obama, who has vowed to make cybersecurity a top priority, delivered the keynote address.
Citing many of the innovative companies and technologies that originated at Stanford, President Obama noted in his address, “It’s one of the great paradoxes of our time that the very technology that can be used to do great good can also be used to imperil us and do great harm.” In order to help address and minimize the risk that these technologies can create, President Obama introduced four guiding points for cybersecurity. Firstly, there must be a shared mission: no one sector can address these issues alone and therefore, the government and industry must work together and share appropriate information. Secondly, the various actors must focus on their unique strengths. Many private companies are not equipped with the robust intelligence resources necessary to combat a massive data breach and hence, must work with the government if they are breached. Thirdly, there must be constant evolution. The private and public sector must continue to design new defenses as hackers’ technologies become more sophisticated each day. Fourthly, “we must protect the privacy and civil liberty of the American people.”
While speaking of the progress that the United States has made with cybersecurity, President Obama announced and signed a new Executive Order “to encourage and promote the sharing of cybersecurity threat information within the private sector and between the private sector and Federal government.” The Executive Order has a framework for information sharing “designed to help companies work together with the federal government to quickly identify and protect against cyber threats.” President Obama reiterated that cybersecurity is not an ideological issue and that everyone is impacted and vulnerable to cyber attacks.
Secretary of Homeland Security Jeh Johnson moderated the first panel of the day, which focused on the public-private collaboration in cybersecurity. The panelists included CEOs and representatives at top U.S. companies, with each panelist working in a different industry. Panelists drew on their own experiences to address how the public and private sectors can work together to safeguard consumers and protect the economy and national security. For example, in responding to Hurricane Sandy, Anthony Earley, Jr., chairman and CEO of Pacific Gas & Electric, recalled how he had to work with the federal government and had it not been for the collaboration with the government and financial industry, “the response would not have been optimal.” Elizabeth Sherwood-Randall, the Deputy Secretary of the Department of Energy, said that she often has to work with the private sector as much of the energy sector is privately owned and much of the cutting edge research on cybersecurity in the energy sector is completed in privately owned research labs.
Throughout the discussion, all of the panelists agreed that the public-private collaboration in cybersecurity is essential if these entities are to adequately protect the American people and their data from evolving cyber threats. The panelists noted that there must be robust information sharing that is timely and responsible. Furthermore, the information sharing must be reciprocated, meaning that the government must share information with the private sector and the private sector must share information with the government. “This work cannot be adversarial, we have enough adversaries out there. This has to be like a new Manhattan Project, where the government and private sector come together,” said Earley. One of the areas where some of the panelists were particularly critical of the government was its slow bureaucracy and failure to eliminate outdated barriers. Kenneth Chenault, chairman and CEO of American Express, noted that there was an outdated law that limits American Express’ ability to contact its customers via mobile phone. Therefore, American Express cannot send fraud alerts via text to most of its customers. Chenault called for a faster moving bureaucracy that could swiftly update legislation to address such fraud and security concerns.
Jeh Johnson ended the panel by emphasizing that the federal government and private sector must “strike a balance between basic physical security and the things we cherish as Americans,” such as privacy, civil liberties and diversity. Johnson said, “We can build higher walls but we cannot do so in a way that changes who we are as a nation.”
The second panel, moderated by U.S. Secretary of Commerce Penny Pritzker, explored ways that businesses and organizations can improve their cybersecurity practices. Throughout the discussion, Pritzker emphasized the importance and utility of the Framework for Improving Critical Infrastructure Cybersecurity (“Cybsecurity Framework”) that was released by the National Institute of Standards and Technology on February 12, 2014. During this panel, numerous companies announced their commitment to using the Cybersecurity Framework, which provides a roadmap to prioritize and optimize cybersecurity investments, and managing cybersecurity risks. Ajay Banda, the CEO and President of Mastercard, articulated the importance of agility stating that the “framework must keep changing as the threat evolves.”
In addition to the Cybersecurity Framework, this panel covered a plethora of issues ranging from customers’ data privacy expectations to the role of cyberinsurance. All of the panelists agreed that cybersecurity is not merely an American issue, but an international issue, having immense ramifications in an increasingly global world. The panelists mentioned that the global nature of the internet and the associated cyber threats have caused some countries to become more protectionist and fearful of interacting across borders. The United States must work on collaborating with other countries on these issues.
The final panel focused on payment technologies and examined opportunities for innovation in this area. With U.S. Deputy Secretary of the Treasury Sarah Bloom Raskin moderating a panel of business leaders from various financial institutions, much of the discussion centered on retail payment systems and what these institutions are doing to secure the financial information of their customers. Paypal president and CEO, Dan Schulman, stated that “the average American company gets hit with about 7 million intrusion attempts per year,” and for those in the financial sector, this number is much greater. In order to protect consumers’ financial data, these financial institutions must be amenable to innovation and must stay ahead of what is currently available. Richard Davis, chairman and CEO of U.S. Bank, said that their goal is to get to tokenization where the chip will no longer be necessary. Many of the financial institutions are also working on biometrics as a form of security. “Biometrics is the ‘new generation’ of secure payment technology,” said Alexander Gourlay, the President of Walgreens.
Overall, “Banks are not competing with regard to cybersecurity. Instead there’s collaboration to protect consumers,” noted Davis. After the Denial of Service attacks in the past couple of years, the banking industry, regulators, and law enforcement began working together. Davis believes that this collaboration has been beneficial for the financial industry and should be replicated by other sectors.
A full agenda of the Summit can be found here. The official White House fact sheet about the Summit can be found here. A blog post about the Executive Order can be found here.