Stick or Carrot? Obama Calls for Public/Private Sector Cyber-Security Collaboration

Last Friday, President Obama continued his efforts of advancing cyber-security as a national priority. In a speech at Stanford University in the heart of Silicon Valley, the President emphasized the importance of collaboration between the public and private sectors to an audience of students, consumer-oriented companies, and representatives of the technology sector.

The focus is unsurprising for at least two reasons:

1. Consider his audience: this is a group from whom Obama has struggled to get consistent support and participation in cyber-security initiatives; and

2. Responding to criticism: the President took a lot of flak for earlier speeches on cyber-security due to their (over)emphasis on post-event notification to consumers

At the heart of Obama’s pitch was the Cyber Security Framework, a two-year in the making effort of the National Institute of Standards for Technology (NIST) initiated by the February 2013 Executive Order 13636, calling for improved protection of Critical Infrastructure from cyber-security threats. The Framework itself is a sound tool for driving some consistency of approach across public and private organizations for the assessment and remedy of unacceptable levels of risk. But it is (as its name suggests) only a framework; the success of using it to advance cyber-security posture depends entirely on the depth and accuracy of implementation, for which organizations are generally on their own. It’s a bit like a personal trainer providing a workout plan with limited customization and no actual monitoring of the workout. How many of those Russian twists will most of us do without the personal trainer barking encouragement over our shoulder?

Another element of the Framework, and really the major point of the President’s speech last week, is the necessity of information sharing between public and private companies. The President is on the right track in pushing more information sharing related to cyber-security incidents. The work of existing information sharing centers, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), has been a high point in the government involvement in cyber-security advancement. However, the proposals to enforce this sharing legislatively, faces significant head winds, both within Congress and at the private sector level. Both groups will likely keep a careful eye on the response of privacy advocates before going all in on these proposals.

The President also stated that the government “often has the latest information on these new threats.” This statement could suggest that this is not intended to be a one-way sharing model and the private sector will benefit from information from the government as much as the government will benefit from access to private sector data.  There is truth to this statement and the government does indeed have resources to offer.  Even if in many cases, the resources are private sector companies working under contract to the U.S. government to gather and analyze threat intelligence. Personally, I’d prefer to see more focus on the development of information sharing and analysis in other industries (there are others beyond the FS-ISAC) and the addition of well-defined plans.

The President was successful in garnering some support in conjunction with Friday’s speech — when frankly many companies don’t have a lot to gain by publicly backing the proposals.  Apple CEO, Tim Cook, gave an impassioned speech on privacy and civil rights, seemingly looking to counter-balance the potential negative impact of Apple’s support of the Framework.  Other organizations heavily focused on consumers (American Express, Kaiser Permanente, AIG among them) also showed support, mainly by stating their commitment to following the Framework. Some of the strongest commitments came from technology vendors like HP and Symantec, who have already announced plans for information sharing.

The Framework itself lays out a very basic level of processes and protections that most sophisticated security organization have long ago exceeded. Supporting the President here could represent a low-risk opportunity for these private sector companies. The information sharing order is another beast entirely, and not surprisingly it is being backed largely by vendors in the security space that possess internally managed (or partnership based) sharing and analysis capabilities. If the only real traction we see out of this is small groups of technology vendors sharing information, this could result in driving up proprietary products and services.  A risk that could essentially make backward progress in the endeavor of having more organizations turn the Framework into actual improvements in security.

So, what now lies ahead for the President’s proposal? It’s hard to say, and equally hard to define a next step to call the program a success. There is little dispute over the fact that legislation will never be able to keep up with the pace of emerging threats.  Unfortunately, at the end of the day, encouraging organizations to follow a solid but high-level framework to increase information sharing accomplishes little. Finding ways to make government more relevant to the execution of cyber-security operations – that could leave a legacy of impact on this growing issue.