Obama's Order Ups the Ante on Cyber Security Information Sharing
President Obama issued an executive order aimed at persuading companies who suffer breaches to share information in an effort to provide more coordinated response to cyberattacks. Though it stops short of mandating that they do so, the president is also introducing legislation that will pave the way for greater information sharing between the private sector and government agencies including the Department of Homeland Security. The legislation also calls for the modernization of law enforcement authorities to fight cybercrime and the creation of a national breach reporting authority.
The order, signed today by the president at the Cybersecurity Summit at Stanford University in Palo Alto, Calif., sets the stage for the latest round of debate on how to protect the nation's infrastructure and consumer information without compromising privacy and civil liberties. Obama's push to promote information sharing, which could help provide better threat intelligence and methods of responding to attacks, nonetheless won't sit well with organizations who loathe to do so for concerns over liability and business impact.
Specifically the president has proposed the formation of information sharing and analysis organizations (ISAOs). These will be private sector groups that would share information and collaborate on issues related to cyber security by creating Information Sharing and Analysis Centers (ISACs). It extends on the information sharing executive order Obama issued two years ago to the day and outlined in this State of the Union Address that led to the release of last year's Cybersecurity Framework.
Since then of course, the numbers of cyber attacks have become more severe with the 2013 Target breach, major attacks last year against Apple, Home Depot, the IRS, Sony and now this year's compromise of customer info at Anthem, the second largest health insurance provider.
Obama also met today with some key industry executives at the Cybersecurity Summit in Palo Alto, including Apple CEO Tim Cook and Intel president Renee James. Besides Cook, top CEOs are conspicuous by their absence including Facebook, Google, IBM, Microsoft and Yahoo. The president signed the executive order at today's summit.
The order also seeks to let law enforcement agencies prosecute those who sell botnets, while making it a crime to sell stolen U.S. financial information such as credit card and account numbers to anyone overseas. It will also give federal law enforcement agencies authority to go after those who sell spyware and give courts the authority to shut down botnets.
Several key IT providers and large companies at risk today attending the summit announced their support for the framework including Intel, Apple, Bank of America, U.S. Bank, Pacific Gas & Electric, AIG, QVC, Walgreens and Kaiser Permanente, according to a fact sheet released by the White House.
While some just announced support for the framework, Intel released a paper outlining its use and stated that it is requiring all of its vendors to use it as well. Apple said it's incorporating it as part of its broader security across its networks. Also requiring its vendors to use the framework are Bank of America, while insurance giant AIG said it is incorporating the NIST framework into how it underwrites cyber insurance for business of all sizes and will use it to help customers identify gaps in their approach to cyber security.
The White House also said several members of the Cyber Threat Alliance, which includes Palo Alto Networks, Symantec, Intel and Fortinet, have formed a cyber threat-sharing partnership that aims to create standards aligned with its information sharing order. Along with that, according to the White House, Box plans to participate in creating standards for ISAOs with plans to use its Box platform to extend collaboration among ISAOs. Further, FireEye is launching an Information Sharing Network, which will let its customers receive threat intelligence in near real time (including anonymized indicators).
Several companies are also announcing efforts to extend multifactor authentication, including Intel, which is releasing new authentication technology that seeks to make biometrics a more viable option to passwords. Credit card providers and banks, including American Express, Master Card and its partner First Tech Credit Card Union, are all advancing efforts to pilot and/or roll out new multifactor authentication methods including biometrics and voice recognition.
Much of the buzz is about the failure of the tech CEOs to attend, but it looks like today's event at Stanford has shown some potentially significant advances by companies and some proposals by the president that will certainly extend the noise level of debate from Silicon Valley to the Beltway.
What's your take on the president's latest executive order?
Posted by Jeffrey Schwartz on 02/13/2015 at 12:48 PM