Obama's cybersecurity plan: Why the government alone can't protect us
We've been in a cyber arms race against hackers ever since the first computer viruses started infecting personal computers in the 1980s, President Barack Obama said at a cybersecurity summit in San Francisco Friday.
It's time now, he said, to tackle the problem in a new, more coordinated way. "We design new defenses, and then hackers and criminals design new ways to penetrate them. Whether it's phishing or botnets, spyware or malware, and now ransomware, these attacks are getting more and more sophisticated every day. So we've got to be just as fast and flexible and nimble in constantly evolving our defenses."
Because if there's one thing the U.S. government is known for, it's being fast, flexible and nimble.
Even the president acknowledged it can't solve the problem on its own. With the understanding that it would require cooperation from both government and the private sector to stop the growing threat posed by hackers at home and overseas, the president ended his remarks Friday by signing an executive order "promoting private sector cybersecurity information sharing."
"So much of our computer networks and critical infrastructure is in the private sector, which means government can't do this alone," he said to a roomful of students and tech executives at Stanford University. "But the fact is, the private sector can't do it alone because the government has the latest information on threats."
Only through collaboration between the private sector and the federal government, the president stressed, do we have any hope of protecting ourselves against myriad cybersecurity threats.
It's hard to argue with that point. But some security experts question the government's capabilities and see the president's plans as falling short of what is really needed. Others smell political posturing and the stench of privacy infringements.
"The scope of the threat, and the nation-breaking damage it can cause are such that we need to team up and defend against these strikes as a working coalition. Otherwise each company, standing alone, may not be able to defend itself and its customers, let alone contribute to the effort of securing our financial, personal, and physical resources," said computer scientist and cybersecurity advisor David Gewirtz.
But he's afraid politics could get in the way.
"Unfortunately, President Obama doesn't exactly have a good record (whether due to his failings or not) of getting bi-partisan support, and I'm concerned that partisan bickering (and, in the corporate world, competitive desires) might get in the way of our very real need to build a universal cyber-shield to defend against what is now an asymmetric battlefield, with the advantage on the enemies' sides."
Jeffrey Carr, president and CEO of Taia Global cybersecurity consultants, isn't confident the government should be taking the lead, given, he said, "how uncertain the government really is about who does what in cyberspace."
It's widely agreed that information sharing is a key element to fighting the cybercrime onslaught. But there is no clear consensus how to implement sharing -- and what the limits should be.
"Information sharing in cyber is the equivalent of putting up 'Wanted' posters so the bad guy cannot move about freely," Michael Daly, chief technology office for Rathyeon's cybersecurity business, told CBS News. "To be truly effective, we need to get this information out faster than we do today and it must be implemented in our infrastructure instantaneously."
The government helped fund the creation of protocols for reporting and describing security breaches so other companies and organizations can be put on alert. But neither corporations nor the government have been utilizing those protocols to the fullest.
"Some companies signed up to start using the protocols, but it isn't fully implemented in all of the end products. They aren't set up for the federal government to feed to all the entities that might want to subscribe to them," Daly said.
It's a two way street, and FBI special agent Leo Taddeo told CBS News that encouraging businesses to come forward after a security breach can be a challenge. "We're trying to get the message to businesses that calling the Secret Service, calling the FBI is a net advantage," he said. "There are some indicators that we're not getting called, and that we're blind in some areas."
More sharing should lead to better information, faster responses and the increased ability for companies to see an attack coming. But it also opens the door to questions about privacy just how much information the government should have access to.
Dave DeWalt, CEO of security firm Mandiant, a participant in Friday's summit, hopes that fear of privacy invasion won't get in the way of the work that needs to get done. He pointed to the way the way public backlash to government surveillance programs revealed by former NSA contractor Edward Snowden stymied previous efforts to effectively open the lines of communication.
"This balance between privacy and security ebbs and flows and unfortunately that was a huge setback -- a setback to the tune of several years," he said.
The president, in outlining his executive order, acknowledged the history of breached trust and the challenge that poses: "In all our work we have to make sure we are protecting the privacy and civil liberty of the American people. And we grapple with these issues in government. We've pursued important reforms to make sure we are respecting peoples' privacy as well as ensuring our national security."
But Gewirtz is concerned that "the agenda doesn't include directly facing the issues of conflict with the NSA."
The American Civil Liberties Union contends that proposals currently being considered by both Congress and the White House don't sufficiently protect consumer privacy.
At the root of it, Gewirtz said, "It's all politics, political theatre."
"But," he added, "here's the thing. In order for use to defend against any threat vector, we need to create an environment where pitched competitors can work together. That's politics."