At cybersecurity gathering, the White House steps up charm offensive
US government officials ventured to the West Coast to win over the security community and business leaders as Internet security proposals make their way through Congress.
SAN FRANCISCO — The contrast couldn't have been sharper between the Washington insider and the tech executive.
In San Francisco this week, White House cybersecurity czar Michael Daniel – clad in dark suit, government pin, and a yellow tie decorated with waving flags – sat across from Amit Yoran, president of the security firm RSA, who was sporting a tight zip-up workout shirt and jeans.
Yet the differences between the two – and between Silicon Valley and Washington – are far more than just sartorial.
Mr. Daniel and Mr. Yoran came together for one of the hundreds of events that took place this week during the RSA Conference, an annual megagathering for the cybersecurity industry. It attracted tens of thousands of professionals from the field, and also lured Obama administration officials and Washington policymakers on a concerted charm offensive to win over business leaders at a time when cybersecurity and digital privacy are attracting a national spotlight.
Indeed, just this week, the House of Representatives passed two bills to increase the sharing of cyberthreat intelligence between the government and private sector. Information sharing has recently become a major national priority for President Obama in the wake of major breaches on companies such as Sony Pictures and the health insurer Anthem, and lawmakers have touted the proposals as major moves to protect computer networks and consumer data in a rare bipartisan effort.
But many within the cybersecurity industry have greeted the proposals with deep skepticism. Some argue such formal exchanges are unnecessary in light of the sharing that already goes on within industry. Others are concerned about privacy and protecting customers’ information once it gets in government hands, especially in light of the revelations about the National Security Agency's mass surveillance. And some companies are concerned they might not get useful information back from the government to help protect their networks in exchange for the information they provide.
So across the country, Obama administration officials made their case.
“Increasing the amount of information flow between the government and the private sector, and between companies in the private sector, is a critical foundational element,” said Daniel on the panel with Yoran, at the event hosted by security company Invincea and Passcode. “It’s a necessary ... component of getting better at confronting the cyberthreat.”
Like many within the security and broader technology industry, Yoran said he doesn't believe sharing threat information with the government will be a panacea. Although he said it was a "net positive step in the right direction," he wasn't convinced it would stop security breaches. “I don’t think security breaches are stoppable in the current computing paradigm."
Further separating the industry from Washington, which is often slow to catch up to technology, Yoran echoed a familiar Silicon Valley ethos: “We just have to move further, faster.”
The disconnect between these two camps isn't new, but it has become especially fraught following the leaks from former NSA contractor Edward Snowden about the government's bulk collection of communications data. At the same Passcode event where Daniel and Yoran met on stage, one information security professional asked the assistant attorney general for national security, John Carlin, about how the government plans to “get more cooperation” from the private sector in light of the Snowden revelations.
"Well, here I am," Mr. Carlin quipped. “It’s relatively new for someone in this position … to be out here meeting with private industry."
That outreach won't be limited to handshakes on a cross-country business trip. The federal government is extending its reach into the tech sector by opening permanent outposts in Silicon Valley. Both the Pentagon and Homeland Security announced plans this week to open offices here.
These bridges to the technology sector certainly suggest a growing realization in Washington that the government needs industry in order to guard against increasingly sophisticated cyberattacks. But whether the administration's approach bears fruit remains to be seen, especially because of the complicated legal and technical nature of the issues being considered on Capitol Hill.
For instance, take the House bills on information sharing. The Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015 authorize private companies to share threat data such as malware signatures, Internet protocol addresses and domain names with other companies and with the federal government. The bills offer organizations liability protection for participating in threat information sharing.
Both bills contain provisions that permit government agencies to exchange data with each other but not with the National Security Agency or Department of Defense. Also included are provisions that prohibit sharing of users’ private information and strict limits on the use of the information for any purpose other than mitigating cyberthreats. Now, the two bills need to be consolidated and sent to the Senate as a single bill.
Industry remains concerned despite some amendments to offer liability and privacy protections in exchange for sharing. If a company knows about a potential threat and doesn't act fast enough, will find itself in legal hot water over a data breach? And what's the upside for security vendors to share their own intelligence about cyberthreats with the government, which could in turn give it to potential competitors?
“We’re not looking to cannibalize that, put anyone out of business, or compete,” Phyllis Schneck, the Department of Homeland Security’s top cybersecurity official, assured the audience of industry professionals at the Passcode event. “We want you to grow, we want you to make a lot of money because more money leads to more innovation.”
Further complicating the government's push to get companies to provide more agencies more information is the upcoming debate over whether to reauthorize the USA Patriot Act; intelligence agencies use key provisions set to expire in June to justify mass surveillance programs. The upcoming debate will once again resurface privacy concerns in the tech world and may have implications for the fate of the cybersecurity bills on Capitol Hill.
Even so, the Obama administration officials who ventured west this week appear determined to leave behind a legacy of new cooperation when it comes to improving cybersecurity.
As Daniel, the cybersecurity czar, said: “The president is fond of saying, ‘Yes, we’re in the fourth quarter – but there’s a lot of interesting stuff that happens in the fourth quarter.' "