Groups to push for encryption, secure payments at White House cyber summit

12.02.2015
The White House heads west to Silicon Valley on Friday looking for ideas on how to improve the nation's cybersecurity, and members of President Barack Obama's administration are likely to get an earful.

The White House's first-of-its-kind cybersecurity summit at Stanford University will feature remarks from Obama and from Apple CEO Tim Cook, but participants are likely to hear a range of ideas about how to improve cybersecurity at U.S. businesses.

Scheduled panel discussions will focus on improving cybersecurity practices at consumer-facing businesses, on using cybersecurity as a business advantage, and on promoting secure payments.

The use of encryption could be a sticking point during discussions. Obama administration members have voiced concerns in recent months about Apple and Google adding encryption functionality to smartphones running their operating systems. Officials at the FBI and Department of Justice say a larger number of encrypted smartphones will allow criminals to hide their activities from police.

It's unlikely that the Obama administration will push for encryption workarounds at the summit, said Kevin Bankston, policy director at the New America Foundation's Open Technology Institute digital rights group. Instead, Bankston said he expects Obama to promote encryption.

"We do hope he will use it as an opportunity to reaffirm the White House's recognition of encryption technology as a cornerstone of the modern Internet economy and a critical tool for the protection of privacy and cybersecurity," Bankston said.

Other cybersecurity experts and summit participants hope a variety of security tools will be highlighted there.

Participants need to focus on how to improve the sharing of cyberthreat information between businesses and government agencies, said Phil Smith, senior vice president of government solutions and special investigations at cybersecurity vendor Trustwave.

Some U.S. lawmakers and tech trade groups have pushed Congress for years to pass legislation that would protect from customer lawsuits businesses that share this data. But privacy groups have objected to past bills like the Cyber Intelligence Sharing and Protection Act [CISPA], saying it would allow businesses to share too much personal information with the government.

"Sharing cyberthreat information between law enforcement, government agencies and the private sector is imperative to protecting the citizens of our country against the latest cyberthreats and I hope the summit will focus on that message," Smith said by email.

Smith hopes the summit will include discussion on a cyberthreat sharing program that goes beyond a voluntary framework and has some "teeth" that sets up a protected environment for information sharing.

The summit should also push for new secure payment technologies, said Stephen Orfei, general manager of the PCI Security Standards Council, a payments standards group. The summit has a panel discussion on secure payments on its agenda.

Obama's emphasis on cybersecurity, along with recent high-profile cyberattacks, have "put data protection front and center on the national stage -- which is a good thing for payment security," Orfei said by email.

Orfei expects that EMV [Europay, MasterCard and Visa] chip technology for payment cards will be featured at the summit "for good reason," he said. "It will button down security at the point of sale."

But EMV chip, or chip-and-PIN, adoption will push hackers to attack other types of sales, including online transactions where the credit card isn't physically present, he said. "We know that no single technology can keep us completely safe," he said.

The U.S. also needs to push basic security controls, such as daily log monitoring and strong passwords, because it's "disturbing" how often those basic controls aren't being used, he said.

Meanwhile, the National Retail Federation, a trade group, called on Obama to push payment card vendors to adopt chip-and-PIN technology. The U.S. government should also provide fraud protection for debit cards, like it does for credit cards, and it should encourage point-to-point encryption across the U.S. payment system, the trade group said in a letter to Obama.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Grant Gross