President's cyber security summit: Share attack info but protect privacy, civil liberties
The overriding message of the one-day event at Stanford University was that the government and private businesses need to share data they have about cyber threats in order to formulate faster responses and more fully understand the actual threat environment, says White House homeland security adviser Lisa Monaco. "There's no other way to tackle such a complicated task," she says.
She says cooperation can strengthen security and the ability to disrupt and respond to cyber attacks. That will result in more resilient networks that raise the costs for bad actors to launch successful exploits down the road. That in turn will mean fewer groups and individuals will have the resources to mount credible attacks.
This sharing of information can raise the specter of invasion of privacy if too much data is shared or results in personal data being exposed, speakers said.
Kaiser Permanente's Chairman and CEO Bernard J. Tyson says it's important that the public is taught that sharing information about threats doesn't mean sharing personal information about its insurance and healthcare customers, which is a big concern he says they have.
Apple's CEO Tim Cook also warned against too much sharing of data, although not by business and private industry. Rather he criticized without naming names businesses that sell personal information about customers' browsing habits and email to advertisers, an apparent reference to Google.
He also took a poke at the Department of Justice criticizing Apple for encrypting iPhone data, something the government says will stand in the way of catching cyber criminals.
But government-private sector cooperation is a must for protecting critical infrastructure like the power grid and the Internet because most of it is privately owned, says Secretary of Energy Elizabeth Sherwood-Randall. In addition to better defensive security to block attacks, owners of critical infrastructure need information-sharing and assessment tools to respond quickly to attacks, she says.
Regulations governing how businesses handle personal information need to be updated, says American Express Chief Executive Kenneth Chenault. For instance it is limited in which of its customers it can send text or phone messages to when it suspects cards are misused. He says of those it can send text warnings to, it gets responses within seconds from 35% of them. The industry needs regulatory changes to allow texting everyone about suspicious use of their cards.
He also says the government needs to share responsibly knowledge about specific indicators of attacks such as IP addresses.
During the summit, the Cyber Threat Alliance, founded by Palo Alto, Symantec, Fortinet and McAfee, announced four new members: Barracuda Networks, Reversing Labs, Telefonica and ZScaler. The goal of the group is for members to share threat information so they can build stronger defenses against advanced adversaries. It is described as an Information Sharing and Analysis Center (ISAC) for security the security industry.