Obama signs information-sharing order as privacy question looms
At a cybersecurity summit held on the Stanford University campus, President Obama outlines a plan for companies and the US government to share information and fend off cyberattacks.
Nick StattFormer Staff Reporter / News
Nick Statt was a staff reporter for CNET News covering Microsoft, gaming, and technology you sometimes wear. He previously wrote for ReadWrite, was a news associate at the social-news app Flipboard, and his work has appeared in Popular Science and Newsweek. When not complaining about Bay Area bagel quality, he can be found spending a questionable amount of time contemplating his relationship with video games.
Watch this: President Obama signs executive order for information sharing (video)
PALO ALTO, Calif. -- In a push to bolster the nation's cyberdefenses, President Barack Obama signed an executive order mandating the creation of specialized organizations that will allow the US government and companies across the tech, finance, energy and health care industries to share information about threats as they occur.
"Government cannot do this alone. The fact is, the private sector cannot do this alone either, as government has the latest information on threats," Obama said at the White House summit on cybersecurity and protection at Stanford University's Memorial Hall on Friday. "Today I'm once again calling on Congress to come together and get this done."
Known as "information sharing and analysis organizations," or ISAOs, these new entities can be not-for-profit community organizations, membership groups or single companies, the administration clarified. The US Department of Homeland Security would then be authorized to approve classified information-sharing arrangements and to ensure that ISAOs can access classified threat information. The order would also fund the creation of a nonprofit organization to develop a set of voluntary standards for ISAOs.
Obama, joining many of the officials onstage this morning, called for bipartisanship in helping the order work its way through Capitol Hill. "Everybody's online," he added, "and everybody's vulnerable."
The White House summit is Obama's latest attempt to curb the rising tide of cyberbreaches that have become an almost everyday occurrence. The summit aims to promote the idea of info-sharing as a tactic for improving cybersecurity overall, as well as a rapprochement between the US government and the private sector. That relationship has frayed in the last few years -- especially within the tech sector -- after NSA whistle-blower Edward Snowden revealed the government's surveillance of people's online messages. Tech companies have countered by making it harder for governments to read their customers' emails and messages.
Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google's Larry Page and Eric Schmidt were all invited to the Stanford event, but won't attend, according to the companies. Apple CEO Tim Cook made an appearance, talking about people's rights to privacy and security.
"Cyberthreats against American interests are increasing in their frequency, their scale, their sophistication and the severity of their impact," said Lisa Monaco, Obama's Homeland Security adviser, who spoke earlier this morning. "The actions we take today, or fail to take, will determine whether cyberspace remains a great international realm of opportunity...that facilities progress and bold new ideas or, frankly, whether it becomes a strategic vulnerable."
The role of privacy, with hacks on the rise
Cyberattacks against US businesses and organizations have forced the Obama administration to grapple with the best way to deal with massive data leaks and thefts. Following his remarks on security in his State of the Union address, Obama is now asking for $14 billion in the 2016 budget proposal to beef up US efforts against such attacks. On Tuesday, the administration announced the creation of a new government agency, the Cyber Threat Intelligence Integration Center, that will fuse information from various intelligence-gathering services to thwart cyberattacks in much the same fashion as government counterterrorism task forces.
The heightened measures are for good reason. Hacks on businesses and government agencies ran rampant in 2014 -- there were more than 1,500 data breaches worldwide, up nearly 50 percent from 2013. Last month, insurance provider Anthem revealed that hackers had broken into its computer systems and potentially accessed the personal data of 80 million people, including their names, emails, passwords and Social Security numbers. Such information makes Anthem's customers vulnerable to identity theft for the rest of their lives. Last year, JP Morgan Chase revealed that more than 76 million US households that had logged in online or through mobile devices had had their accounts compromised.
To even greater notoriety, hackers last November breached the computer network at Sony Pictures Entertainment, spilling details of the inner workings of Hollywood studios and leading the way to an international incident over the comedy film "The Interview." The US government pointed the finger at North Korea as the likely culprit behind the attack, stirring up debate around the growing threat of state-sponsored hacking.
Four of the top tech companies caught up in the Snowden leaks -- Yahoo, Google, Microsoft and Facebook -- declined to send their respective CEOs to the summit, choosing instead to send their top information-security executives. Facebook earlier this week launched its own collaborative tool in the form of a social-networking site for security professionals to share information, called ThreatExchange.
Snowden's leaks have created a divide between many Silicon Valley companies and the government as news of the NSA's activities damaged relations with US consumers and with overseas businesses. Apple and Google have begun encrypting smartphone data by default, protecting it from thieves and hackers, but blocking out and frustrating law enforcement agencies in the process.
In a moment of rare acknowledgement, a Homeland Security official referenced the leaks in a call for more collaboration and a repairing of the relationship between tech companies and the government.
"In this -- dare I say -- post-Snowden environment, it's critical for us to continue the dialogue," Jeh Johnson, the US secretary of Homeland Security, said during a morning panel with chief executives of finance, energy, health care and security firms.
Many officials onstage Friday said privacy is a top priority, without providing details on how the new cybersecurity initiatives will balance privacy and security. Obama did clarify that his executive order "will call for a common set of standards, including protections for privacy and civil liberties." Meanwhile, Jeff Zients, director of the National Economic Council, who spoke earlier in the morning Friday, said "cybersecurity and consumer protection are two sides of the same coin."
Nuala O'Connor, president and CEO of the Center for Democracy and Technology, was outspoken on easing the perceived tensions between privacy and security. "Wholesale collection of data into the hands of the federal government is not a solution to the problem," she said during a panel with finance and tech chief executives. "I should have the right to engage in a digital world without feeling like I'm being spied on by the government."
Apple's Cook took the stage prior to Obama as the highest-level representative of the tech industry. Last year, Apple came under heavy criticism for the security of its iCloud data storage and backup system, following a devastating leak that resulted in a trove of nude images, most prominently of female celebrities, ending up on the Web.
Though hackers did not exploit any specific flaw in iCloud, they were able to attack other accounts to glean identical or similar passwords they could try out on Apple's system. The iPhone maker's failure to consistently communicate its available security measures -- like two-factor authentication -- and regularly notify users of account sign-ins and password retrieval requests made it easy for hackers to access the affected accounts. Apple enhanced its iCloud security measures following the incident.
In his speech, Cook made a strong stand for consumer privacy rights in a sweeping call for protection. He did so notably after taking sharp jabs at search giant Google and social-network Facebook by saying, as Cook has in past speeches, that Apple's business model does not rely on collecting and selling its users' data to advertisers.
"We still live in a world where all people are not treated equally. Too many people do not feel free to practice their religion or express their opinion or love who they choose," Cook said. "We must get this right. History has shown us that sacrificing our right to privacy can have dire consequences.
Obama ended his address by appealing to the sanctity and power of the Internet itself.
"Like all those innovators before us, our work will endure -- like a great cathedral for centuries to come," he said, evoking the words of Internet pioneer Paul Baran. "That cathedral will not just be about technoloy. It will be about the values we've embedded in the architecture of the system.
"It will be about privacy and community and it will be about connection," Obama added. "What a magnificent cathedral that all of you have helped to build."