Federal Cybersecurity Duplicity

As part of a whistle-stop tour of Northern California, President Obama held a White House Summit on Cybersecurity and Consumer Protection at Stanford University last Friday.  Much to the delight of the Silicon Valley crowd, the President signed an executive order (right there on stage at Stanford) to promote data sharing about digital threats.  The summit also highlighted industry leaders like Apple CEO Tim Cook, and large critical infrastructure organizations like Bank of America and Pacific Gas & Electric Co.

The President picked the right location for his cybersecurity bully pulpit.  The Peninsula is a nexus of technology optimism, constantly focused on the new new thing.  The event also attracted the Sand Hill Road crowd, eager to capitalize on national cybersecurity gaga. 

Now the President should be actively involved in the cybersecurity discussion.  After all, he promised to focus on cybersecurity issues when he ran for President in 2008, and the entire situation has only gotten worse over the intervening 7 years.  That said, the Silicon Valley has a short-term memory and tends to view issues through a myopic lens focused on technology and money.  Beneath the obvious media event value of the Stanford event, there are a few fundamental problems with the President’s messages:

1. President Obama’s plan for a public/private cybersecurity partnership is nothing new.  In February 2000, the White House put out a press release titled, President Clinton: Working to strengthen cybersecurity.  Here is some of the text from this release:  “Today, at the White House, President Clinton and members of his Cabinet met with leaders of Internet and e-commerce companies, civil liberties organizations, and security experts to announce actions aimed at strengthening Internet and computer network security. The President announced immediate steps the government will take to enhance security for our nation’s computer systems, and industry executives declared their intention to create an information-sharing mechanism to better respond to cyber-attacks (emphasis added by me).  Hmm, sounds a lot like the Stanford summit.  Why should we believe that things will be different this time?
2. The intelligence sharing program lacks detail.  What exactly does the President mean when he talks about intelligence sharing?  No one really knows but a lot of historical intelligence sharing was nothing more than emails and lists of malicious IP addresses, URLs, and file hashes in the past.  This manual methodology lacks the speed, automation and contextual depth needed to address today’s threat landscape.  Yes, intelligence sharing has potential but only if it is based on standards for machine-readable data formats and pervasive automation – think STIX, TAXII, FS-ISAC Soltra, and vendors like ThreatGrid and Vorstack.  Maybe I’m a skeptic, but I haven’t heard anything that leads me to believe that the Feds can create and lead this effort.
3. What about privacy?  The president has consistently stated that a public/private threat intelligence sharing framework can only succeed if it provides clear guidelines on privacy.  Okay but once again, where are the details?  Unfortunately, the feds have an extremely poor track record on privacy so I for one remain cynical (think NSA, Snowden, etc.).  And while the chief executive is promising privacy on one hand, he (and others in the US and EU) is complaining about mobile device encryption and making a case for key escrow so that law enforcement can decrypt our data for surveillance and law enforcement purposes (does anyone else remember the Clipper chip?).  Without clear guidelines and oversight on privacy, the public/private intelligence sharing partnership is effectively DOA.
4. Homeland cybersecurity protection remains a conflict of interest with offensive cyber operations.  While the President was championing cybersecurity protection here at home, Kaspersky Lab announced that it discovered extremely stealthy malware that it attributes to the NSA.  The malware was likely used for surveillance and sabotage in countries like Iran, Russia, China, and others.  This is an exceptionally important conflict of interest that deserves much more transparency and public debate.  Before we cry the blues about US-based businesses being hacked by criminals and nation-states, we must understand that our own government is doing similar things to other governments and private organizations.  So while we really need international cooperation to address the global scourge of cybersecurity events, we won’t find much support if our government is viewed in the same manner as petty crooks in Odessa or despots in Pyongyang.

Note to the President and Congress:  We need and welcome your help to address cybersecurity threats but we also want an honest and transparent effort featuring out-of-the-box thinking.  This is not a “sting” operation, it is about our information, infrastructure, and privacy.  We also need leadership on the global stage rather than the same old cybersecurity shtick at Stanford.