Stanford University, Feb. 13, 2015
It was an honor to attend the White House Summit on Cybersecurity and Consumer Protection and I applaud President Obama’s efforts to bring together an impressive group of leaders across a broad range of industries, government and law enforcement officials, and consumer and privacy advocates to discuss cybersecurity. This is an issue that affects us all and clearly has no borders.
While there were several core themes discussed throughout the day, three key takeaways are of particular interest to private industry:
Public-Private Collaboration is Critical
The overarching theme presented by the White House was how to boost the collaboration between companies and agencies in order to combat hackers. The announcement in the days preceding the Summit of the new Cyber Threat Intelligence Integration Center (CTIIC) was just a first step. As a further validation of the importance and urgency on behalf of the White House surrounding the issue at hand, at the Summit President Obama signed an Executive Order directing the creation of Information Sharing and Analysis Organizations (ISAOs) which will enable companies and the government to share classified cyber threat information. Only with an ongoing sharing of threat information between the government, including the Department of Homeland Security and the Federal Bureau of Investigation, and companies across industry groups, will we be successful.
With much of the order voluntary, companies across all industries are also being asked to step up to the table now to not only share threat information but to establish best practices within their organizations in order to protect their constituencies in the future. This too is critical, since the maintenance of best practices is closely tied to a company’s ability to get cyber insurance.
Understanding Vulnerabilities is Key to Improving Best Practices
While the need to focus on the security systems operating behind consumer payment systems in order to make it harder for hackers to steal information is absolutely critical, and Apple CEO Tim Cook was quite persuasive on this point, to stop at payment systems alone would not solve cyber hacks. In order to enhance consumer protections online, single factor authentication, or the password as the primary form of security, is a dated practice that should be replaced with more secure technologies.
Companies also need to be mindful that criminals can breach a business’ defenses in any number of ways – directly through company networks and also indirectly through the network of vendors and third party service providers. What is needed is a fuller understanding of all the possible threats, malicious actors and the broad range of tactics those actors will employ. Across all industries, companies are facing a highly complex and constantly evolving threat environment with new attackers and attack methods to be wary of in order to protect their partners, clients and customers.
What Comes Next is Even More Meaningful
While it is essential for the United States to take a leadership role on this important issue, with guidelines and processes for internal consumption, we cannot merely look inward. We are living and working in an increasingly interconnected and globalized environment, and that environment also includes criminal elements. Cyber threats from foreign countries, such as Russia, China and North Korea, keep growing. Sharing information alone won’t stop them. The next steps from our government in protecting our nation’s business must be even more meaningful. We urge cooperation with international law enforcement agencies to help protect companies from foreign-based threats and to help make significant progress in this area.