The White House Summit on Cybersecurity and Consumer Protection is being held at Stanford University Friday February 13, 2015. The purpose of the summit is to bring technology leaders and cybersecurity advocates together to help the federal government craft the best initiatives on cybersecurity protection. The Summit will also foster public-private collaborations to improve information sharing.
CISOs in attendance
Sending a CISO shows just how far cybersecurity has come
The CEOs for Google, Yahoo, and Facebook were invited but will not attend the summit. Instead, all three companies will be sending their CISOs, and that’s a good thing. Lets face it, network security has often been a secondary concern for most businesses, seldom getting the budget or staffing they deserve; C-level executive buy-in is often lacking (see Ron Gula’s blog post on Cybersecurity is a C-Level Activity). This is made worse when a CISO reports to the CTO who reports to the CFO instead of directly to the CEO, further relegating security to a lower priority in the business. Some feel that companies who send their CISOs instead of CEOs to the White House summit are perpetuating the status of security playing second fiddle to what are perceived as more important business concerns. But while other major companies are sending their CEOs, I believe that sending a CISO shows just how far cybersecurity has come in a very short time.
Elevating cybersecurity to a national debate
The White House Summit on Cybersecurity and Consumer Protection is an effort to help outline public and private sector efforts to protect consumers and companies from the increasing problem of online threats and attacks. Getting stakeholders together from disparate groups is a good thing, especially when those people are in charge of the topics beings discussed for their organizations. Most of the people participating in panels and official discussions at the summit will be from government or large companies, but there will be a few representatives from the security industry and even some privacy and civil liberty advocates.
Over two hundred representatives of the worldwide media will also be present at the summit. This summit is mostly about getting support for the President’s recent proposals on data breach notification, data sharing, and changes to the Computer Fraud and Abuse Act (CFAA), not to mention the recently announced Cyber Threat Intelligence Integration Center.
There hasn’t been much dissension on the first two initiatives; everyone seems to agree that information sharing and data breach notification are good things. There have been some arguments over the potential wording of forthcoming legislation, but for the most part, these are welcome developments. On the issue of data breach notification, a new federal law will hopefully supersede the various individual state laws, giving companies with a national presence a few less headaches as they try to be in compliance with over forty different state notification laws currently on the books.
For prevention, you need to go back to the basics: scan, identify and patch
A debate over the President’s proposal to “modernize” the Computer Fraud and Abuse Act has begun. The thirty-year-old CFAA has long been criticized as being vague and no longer appropriate for the digital age we now live in. New proposals are calling for additional violations, longer prison sentences, and incorporating parts of RICO (the Racketeer Influenced and Corrupt Organizations Act); but that would still leave the current law with vague language and undefined terms .
A new Cyber Threat Intelligence Integration Center (CTIIC) has also been announced, and has already come under heavy criticism. Some feel that the new agency is duplicating efforts of the National Cybersecurity and Communications Integration Center (NCCIC), which is part of the Department of Homeland Security. However the new CTIIC would report to the Office of Director of National Intelligence (ODNI) similar to the National Counterterrorism Center. Of course involving ODNI has privacy advocates watching closely, especially since there has been talk of giving immunity to companies who accidently spill PII when sharing cyber threat information with the government. The key to making this new agency work will be convincing private industry to actually share its threat data, which some companies have been reluctant to do.
Preventive measures are still necessary
All of these new initiatives—from breach notification to data sharing from increasing penalties to a new threat information sharing agency—will not prevent or deter future attacks. Sure we may be able to identify the attacks and the perpetrators a whole lot faster, but these initiatives won’t prevent all of them. For prevention, you need to go back to the basics: scan, identify and patch.
Security should be at the same level an organization’s operation, compliance, marketing and financial concerns
Elevating cybersecurity in your organization
The fact that the President of the United States has organized a summit on information security tells us just how important this topic has become. Cybersecurity should no longer be a small line item in your overall IT budget; it should no longer be reporting three levels down from the top. Security should be at the same level an organization’s operation, compliance, marketing and financial concerns. So if a company sends its CISO instead of its CEO to the White House sponsored cybersecurity summit, it shouldn’t be considered a mistake; it should be considered a bellwether of just how important cybersecurity really is.