US President Barack Obama signed a new executive order on Friday that compels companies and the government to share threat information as part of an effort to defend against the sorts of cyberattacks that crippled Sony Pictures and exposed the Social Security data of 80 million Anthem insurance customers.
He made the announcement during the White House summit on cybersecurity and consumer protection at Stanford University. The decision to hold the summit in Silicon Valley suggests that, in part, the administration wants to be a better partner with the tech industry in the fight against cybercrime.
But the tech industry is ambivalent about a closer relationship with government intelligence agencies, as evidenced by the fact that Yahoo, Facebook and Google did not send top executives to the summit.
The tech industry’s wariness of government involvement predates revelations by former government contractor Edward Snowden, says J.J. Thompson, the founder of consulting firm Rook Security. Some of the revealed National Security Agency spy programmes, including Prism, collected data from big internet companies.
Tech companies are loath to share information that “violates individual privacy or that invades civil liberties”, says venture capital investor Alberto Yepez. The relationship between tech companies and the government has become more complicated as companies such as Microsoft have waged high-profile legal battles to protect customer data.
Most smart tech professionals know such a partnership is vital. Public companies need information from the government to adequately protect themselves, as people actively working on the Anthem breach can attest: The health-care industry has heavily relied on information from the Federal Bureau of Investigation to understand the scope, severity and consequences of the attack.
Corporate cybersecurity officers are in favour of such real— time collaborative defence, says Bessemer Venture Partner David Cowan, who invests heavily in security startups. He says he agrees with executives and investors who say that “perceived liability” currently stands in the way of true collaboration.
The mechanics of an executive action could alleviate those fears by putting into place basic protections that let companies share information anonymously and protect them from legal liability if they do give the government information — protections similar to those that the president proposed to Congress. An executive order would probably be more limited in scope than legislation, but it could more quickly put protections into place.
No one disagrees that tech companies could be big allies in the fight to protect America’s online infrastructure; most agree that corporate America needs intel from agencies such as the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency to respond effectively to threats. Thompson says that many companies do not even know they have been breached until the FBI calls and alerts them to suspicious activity.
But data-sharing cannot happen until tech firms can protect themselves from liability and their customers from mass surveillance that can violate their civil liberties. If the US president cannot lay down that groundwork, it will be up to Congress to get the job done. That is the sort of thing that really makes me fear for online safety.
— Washington Post
Katie Benner is a tech columnist with Bloomberg View.
