16 February 2015

Obama, Tim Cook, Others Debate Sharing Cyber Security Data

Thomas Claburn
2/14/2015

The Obama White House wants more effective sharing of cyber security data between the public and private sectors. Despite some snubs, Apple's Tim Cook spoke at a special summit on the issue.

Representatives from the public and private sector gathered at Stanford University on Friday, Feb. 13, to call for greater sharing of cyber security information amid lingering mistrust arising from involuntary information sharing programs run by intelligence agencies, both domestic and foreign.

The absence of four top tech leaders invited to the White House Summit on Cyber Security and Consumer Protection -- Facebook CEO Mark Zuckerberg, Google CEO Larry Page, Google executive chairman Eric Schmidt, and Yahoo CEO Marissa Mayer -- may convey something of that mistrust, or may merely reflect scheduling conflicts or expediency.

A Facebook spokesperson confirmed via phone that Zuckerberg is not attending, declining to cite a reason, but noting that Chief Security Officer Joe Sullivan is playing a prominent role at the event.

In an email, a Yahoo spokesperson said, "Our chief information security officer, Alex Stamos, will be representing Yahoo today. Given the focus of the conversation, it made the most sense to have Alex lead on our behalf."

Google did not respond to a request to clarify why Page declined to attend.

Yet, characterizing nonattendance as a snub sounds plausible because of past statements these executives have made framing governments themselves as security threats. Zuckerberg last year published an open lettercriticizing the US government for the damage it has done through indiscriminate information-gathering.

Zuckerberg wrote that he was "confused and frustrated by the repeated reports of the behavior of the US government," a reference to Edward Snowden's revelations about the scope and audacity of data gathering by the US and its allies.

"When our engineers work tirelessly to improve security, we imagine we're protecting you against criminals, not our own government," he wrote. "The US government should be the champion for the Internet, not a threat. They need to be much more transparent about what they're doing, or otherwise people will believe the worst."

Page and Mayer last year expressed similar sentiment.

It's not just the US government's intelligence operations that concern private companies. The 2010 Operation Aurora cyberattack on Google and dozens of other companies was linked to hackers with ties to China's military.

At the same time, it's too simplistic to see private industry and government authorities as opposing sides.

The technology industry does not have a unified position with regard to data sharing and privacy, which figures into cyber security. Apple CEO Tim Cook, in his Summit speech, sounded a familiar theme by suggesting that Apple's "straightforward business model based on selling the best products" is fundamentally better for privacy and security than advertising-based business models, like those used by Facebook and Google.

But beyond disagreements about business models, private and public sector companies have reason to seek better sharing of threat data, something both have striven to do for decades. The simple reason is that each needs the other to make cyber security more effective.

Thus, Facebook earlier this week launched ThreatExchange, an API for sharing threat data. And both Google and Yahoo, through the trade group TechNet, have backed the Cyber Intelligence Sharing and Protection Act, now working its way through the legislative process. Despite the mistrust, there's common ground too.

Speaking at Stanford, President Obama emphasized that common ground when he introduced a set of legislative proposals to improve cyber security, including one that seeks to codify mechanisms for sharing cyber security information between the public and private sector.

"Just as we're all connected like never before, we have to work together like never before," Obama said. "...The very technology that empowers us to do great good can also undermine us and do great harm."

Earlier this week, the administration announced the creation of its Cyber Threat Intelligence Integration Center. And at the Summit, President Obama signed a new executive order to promote better cyber security information sharing.

[The Anthem breach holds lessons for IT. Here's what your business should learn.]

But there's doubt sharing threat information is really the optimal way to improve cyber security. In a statement, Kevin Bankston, policy director of New America's Open Technology Institute, said that in light of the revelations about mass surveillance, the White House should focus on working with Congress to pass surveillance reform rather than providing the NSA with more information in the name of cyber security.

"In the wake of the Sony cyber incident, the Administration is clearly under pressure to take action on cyber security," said Bankston. "But we should remember that the attacks on Sony were made possible due to that company's poor security practices and outdated software, not due to a lack of information sharing."

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

No comments: