The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama. The purpose of the summit: to “bring together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.” These stakeholders, a number of public and private sector leaders, preceded the President with several speeches and panels. Here are some key takeaways from these earlier speakers, as well as a brief look at President Obama’s remarks:
- Collaboration is front and center. As a central theme of the summit, the calls for collaboration came early and often. The first speaker, Lisa Monaco, announced the creation of a new agency for coordinating federal government information about cyber threats: the Cyber Threat Intelligence Integration Center. Monaco, a White House security adviser, explained that CTIIC would serve to “connect the dots” for the current array of agencies with cybersecurity interests.
While CTIIC is aimed at collaboration within the government, other speakers stressed the importance of public-private collaboration. Brian Moynihan, CEO of Bank of America, called for the government to “lead with way” on collaboration. According to the CEO of American Express, Ken Chenault, information sharing is “the single highest-impact, lowest cost, and fastest way” to increase security. Collaboration is necessary, added Ajay Banga, CEO of MasterCard, because no one company can possibly spend enough alone to protect everyone. And in what is certainly an interesting comparison, Tony Earley, CEO of Pacific Gas and Energy, said that cybersecurity must be “a new Manhattan Project,” featuring a strong partnership between the government and the private sector.
There was also widespread agreement among panelists that regulations needed an overhaul. Chenault noted that regulations prevented AmEx from sending fraud alerts via text message to 90% of its customers. The 10% they can legally text, he said, usually respond within 60 seconds. Other panelists called for an update of the cybersecurity standards developed by the National Institute for Science and Technology. The current standards are “a good start,” said Banga, but they need to evolve if they are to be a “Rosetta Stone” that ensures all private sector entities are speaking the same cybersecurity language.
- Habeas data: is there a place for privacy? The panelists stopped short, however, of endorsing outright data-sharing with the government. “Wholesale collection of data in the hands of the federal government is not the solution,” stressed Nuala O’Connor, CEO of the Center for Democracy & Technology. She was not alone in this sentiment — Tim Cook, Apple’s CEO, repeatedly focused on the importance of privacy in his speech: “If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money. We risk our way of life.” Cook went on to introduce several measures Apple is implementing to ensure consumer privacy, and proudly asserted that Apple’s business model was focused on products and services, not on selling personal data.
- Cybersecurity is an economic issue, not an IT issue. The second speaker of the day, Director of the National Economic Council Jeffrey Zients, made the argument that effective cybersecurity simply makes good business sense. Inefficient or ineffective security measures waste resources up front, and leave open the potential for huge losses in the case of a data breach. Furthermore, Zients continued, cybersecurity and privacy protections are two sides of the same coin, as preserving customer trust is vital for any business. Such sentiments were echoed by CEO panelists throughout the day.
- “The password era is dead.” This quote came from Ajay Banga, MasterCard’s CEO, and the idea cropped up throughout the day’s panels and speeches. Two-factor authentication is on the rise, but the speakers at the summit went a step beyond that, advocating for widespread introduction of biometric security — voice recognition and retinal scans were both mentioned.
- The President charts the way forward. For all the dour notes of the Summit — identity theft, hackers bringing down electrical grids, erosion of global economic advantage — President Obama struck an optimistic chord. He noted the importance of the Internet to security and the economy, and argued that, with the right approach, the Internet could contribute to peace and prosperity for years to come. Speaking of our still-young Internet Age — 26 years by his count — the President stated, “As they say at Google, the future is awesome.” The President charted his course to that future, organizing his talk around four principles:
- Sharing information. Echoing the clear theme of the day, the President reiterated the importance of sharing information about threats in order to deal with them.
- Playing to each sector’s strengths. The President noted that most of the information necessary to deal with cyber threats is contained in private sector networks. At the same time, he argued, government will often have the most up to date information and the most tools to coordinate responses to cyber-attacks when they occur. For this reason, cooperation between the two is needed.
- Remaining flexible and constantly evolving. Besides a general call to keep current with ever-changing threats, the President’s implication seemed to be the need to revise dated legislation. Washington has difficulty doing that in general, and particularly so in an arena where “dated” can mean only a few years old. Indeed, the President’s recent legislative proposals envision updates to the Racketeering Influenced and Corrupt Organizations Act, as well as the Computer Fraud and Abuse Act.
- Maintaining personal privacy. The President stated that going online ought not to mean forfeiting basic rights of privacy and spoke of suffusing the value of privacy through our entire approach to dealing with cyber security. Evoking the metaphor of building a cathedral – block by block and over many years – the President argued that privacy should be a basic building block of the Internet
The President culminated his talk by signing a new Executive Order, intended to encourage information sharing by private sector organizations in “Information Sharing and Analysis Centers,” or ISAOs. The ISAOs would then enter information sharing agreements with the National Cybersecurity and Communications Integration Center (NCCIC), under the auspices of the Department of Homeland Security.
We will have further analysis of the Executive Order and its implications, as well as additional information about the summit, in the coming days.