Obama Needs Silicon Valley on His Team
President Barack Obama will reportedly announce a new executive order today that compels companies and the government to share threat information as part of an effort to defend against the sorts of cyber-attacks that crippled Sony Pictures and exposed the Social Security data of 80 million Anthem insurance customers.
Security professionals and investors expect that the president will make the announcement during the White House summit on cybersecurity and consumer protection that’s taking place at Stanford University.
Whether an executive order comes or not, security officers and investors say that it’s clear that the White House is going to push for more information sharing between corporate America and the government. Administration officials are already forming the Cyber Threat Intelligence Integration Center, an agency that will gather threat intelligence across all of the agencies, and Obama proposed laws last month that would protect companies from legal liability if they shared breach-related information with the government.
The decision to hold the summit in Silicon Valley suggests that, in part, the administration wants to be a better partner with the tech industry in the fight against cybercrime.
For its part, the tech industry is ambivalent about a closer relationship with government intelligence agencies, as evidenced by the fact that Yahoo, Facebook and Google didn't send top executives to the summit.
The tech industry's wariness of government involvement predates revelations by former government contractor Edward Snowden, says J.J. Thompson, the founder of consulting firm Rook Security. Some of the revealed National Security Agency spy programs, including Prism, collected data from big Internet companies.
Tech companies are loath to share information that “violates individual privacy or that invades civil liberties,” says venture capital investor Alberto Yepez. The relationship between tech companies and the government has become more complicated as companies such as Microsoft have waged high-profile legal battles to protect customer data.
Most smart tech professionals know such a partnership is vital. Public companies need information from the government to adequately protect themselves, as people actively working on the Anthem breach can attest: The health-care industry has heavily relied on information from the Federal Bureau of Investigation to understand the scope, severity and consequences of the attack.
Corporate cybersecurity officers are in favor of such real-time collaborative defense, says Bessemer Venture Partner David Cowan, who invests heavily in security startups. He says he agrees with executives and investors who say that “perceived liability” currently stands in the way of true collaboration.
The mechanics of an executive action could alleviate those fears by putting into place basic protections that let companies share information anonymously and protect them from legal liability if they do give the government information -- protections similar to those that the president proposed to Congress. An executive order would probably be more limited in scope than legislation, but it could more quickly put protections into place.
No one disagrees that tech companies could be big allies in the fight to protect the country’s online infrastructure; most agree that corporate America needs intel from agencies such as the FBI and the Central Intelligence Agency to respond effectively to threats. Thompson says that many companies don’t even know they’ve been breached until the FBI calls and alerts them to suspicious activity.
But data sharing can’t happen until tech firms can protect themselves from liability and their customers from mass surveillance that could violate their civil liberties. If the president can’t lay down that groundwork today, it will be up to Congress to get the job done. That’s the sort of thing that really makes me fear for our online safety.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.