Last Friday, the White House released a Fact Sheet entitled “White House Summit on Cybersecurity and Consumer Protection” in which it announced that “the President is convening leaders from throughout the country who have a stake in bolstering cybersecurity–from industry, tech companies, and consumer and privacy advocates to law enforcement, educators, and students.” What will they discuss? According to the Fact Sheet, “participants will discuss opportunities to spur collaboration and develop partnerships in the cybersecurity and consumer financial worlds to share best practices, promote stronger adherence to security standards, improve cyber threat information sharing, and encourage the adoption of more secure payment technologies.”
By releasing the Fact Sheet and convening a “summit,” the White House has signaled a clear intent to get the Feds more actively involved with cybersecurity. Indeed, one of the introductory paragraphs of the Fact Sheet says as much: “We are at an inflection point, both domestically and internationally, and now is the time to raise the call for greater collective action.”
But as with any political pronouncement, the devil is in the details. The details provided in the Fact Sheet are both good and bad for MFT Nation readers, as we will explain below.
The Cybersecurity Framework
The Fact Sheet starts by extolling the virtues of the Cybersecurity Framework. bTrade’s MFT Nation blog has commented extensively on developments relating to the Framework.
In a previous blog, we explored how the public was accepting (or not accepting) the Framework. The Fact Sheet provides us with an update from the prospective of the White House, and it says the Framework is “emerging” as important tool for managing cyber risks. In other words, it’s still a work in progress, and it certainly hasn’t become the standard for managing cyber risks.
In a previous blog, we noted that compliance with the Framework is “voluntary,” but explored how the Feds might take steps to convert the Framework from voluntary to mandatory. On this point, the Fact Sheet states that the Feds will continue to “promote” the “broad uptake” of the Framework. In other words, the Feds will continue to call it voluntary, but at the same time they will use their vast arsenal of incentives/disincentives in an attempt to force the “broad uptake” of their “voluntary” program.
In an apparent attempt to convince us there has been some “uptake” of the Framework, the Fact Sheet lists nine “corporations” it says are “announcing a commitment to using the Framework.” I must say that a close examination of the accompanying descriptions for each corporation doesn’t show a lot of “uptake.” Intel seems to be the most engaged, as it “is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract.” But the other corporations don’t seem to be that far along in the commitment process. For example, the Fact Sheet says Apple is incorporating the Framework, but only “as part” of its “broader security protocols across its corporate networks.” The same applies for Walgreens; it will be announcing at some unknown time in the future that it will use the Framework as “one of its tools” for identifying and measuring risk. The only description provided for Kaiser Permanente is that it is “committing to use the Framework,” but no details are offered relating to when and how it will use the Framework.
Information Sharing, Secure Payment Technologies, and Multi-Factor Authentication
The Fact Sheet next describes goals/initiatives associated with the following matters:
- Encouraging and promoting the sharing of cybersecurity threat information within the private sector and between the private sector and the Feds
- Commitments to promote more secure payment technologies
- Moving from usernames/passwords to multi-factor authentication
Some civil libertarians oppose any expanded information sharing with the Feds because they feel it poses a serious risk of transferring more personal information to intelligence and law enforcement agencies. We view all these goals/initiatives as good stuff. But remember, none of these goals/initiatives will guarantee data security. Each organization must still adopt and deploy common sense data security measures, such as using strong passwords, and stop using of out-of-date software, and create a strategic infrastructure by “consolidating and converging” existing solutions to help improve operational efficiency and scalability.
The Fact Sheet concludes with a call for the Congress to pass laws that would:
- Enable more cybersecurity information sharing
- Increase criminal penalties for cyber crime
- Replace state data breach laws with a federal data breach law
The Electronic Frontier Foundation, a self-proclaimed IT activist organization, describes the White House’s legislative proposals as the “same old tune” and offered this explanation:
More needs to be done to protect cyberspace and enhance computer security. But President Obama’s cybersecurity legislative proposal recycles old ideas that should remain where they’ve been since May 2011: on the shelf. Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.
What Do You Think About Increased Involvement by the Feds?
So far, reaction from the IT industry seems to be mixed. The leaders of Google, Facebook and Yahoo made a conscious decision to skip the White House “summit,” choosing instead to defer the invitation to their security specialists. But others, including those corporations identified in the Fact Sheet, are behind increased efforts by the Feds to help combat cyber threats.
What do you think about the recent actions taken by the Feds? Let us know by posting a comment below.