Obama calls on private sector to help fight cyber attacks

US president Barack Obama has called on the private sector to help fight cyber attacks at a cyber crime summit meeting in Silicon Valley

US president Barack Obama has called on the private sector to help fight cyber attacks at a one-day summit meeting in Silicon Valley on tackling cyber crime.

Echoing recent comments by law enforcement offers in Europe and the UK, he said the only way to defend against cyber threats is for government and industry to work together.

Obama said government and industry should share “appropriate information” as true partners.

To support this, he signed a fresh executive order that lays out new ways for companies to share information on cyber threats and promises oversight to ensure privacy is protected.

Obama met representatives of the world’s largest companies, the US Secret Service, the FBI and the UK’s National Crime Agency at Stanford University in California on 13 February 2015.

“Everybody is online, and everybody is vulnerable,” he told the summit, which took place close to the headquarters of top US technology firms, including Google, Facebook and Intel.

But partnering with the federal government is a hard sell in the Silicon Valley, said Time, with technology firms reluctant to sign up to anything that could limit their reach.

Technology firms are also keen to distance themselves from the US internet surveillance programme revealed by whistleblower Edward Snowden in June 2013.

According to Snowden, the Prism programme included access into data from US technology firms.

In December 2013, several technology firms joined forces to call for urgent reforms of all internet surveillance programmes.

Google, Apple, Facebook, Twitter, AOL, Microsoft, LinkedIn, and Yahoo have formed an alliance called Reform Government Surveillance.

In the wake of a recent string of high-profile cyber attacks on US retailers, health companies and financial institutions, Obama is working to rebuild relationships with the technology sector.

He told more than 1,500 business leaders, students, law enforcement officers and security services personnel that information about threats must be shared and responded to quickly.

Obama wants US Congress to replace the existing mishmash of state laws with a national standard giving companies 30 days to notify consumers if their personal information has been compromised.

A significant thing to come out of the summit is the president's recognition that today’s threat landscape is a cyber arms race, according to Phil Smith, senior vice-president of government solutions and special investigations at security firm Trustwave.

“That statement is significant because it puts organisations and individuals on notice that cyber security is a national security and public safety issue,” he said in emailed comments.  

Closer collaboration a step in the right direction

Smith believes the proposals on closer collaboration around cyber security between government and industry are a step in the right direction.

“But the president can only go so far with an executive order. It takes congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful,” he said.

Whenever information is shared across organisations, they have an advantage in defeating a cyber criminal

Phil Smith, Trustwave

Smith noted that history has shown that a voluntary framework does not work. “We need a required-by-law component, to allow agencies and companies to work together and share information in a protected environment,” he said.

Obama told the summit that several hubs have been or currently are set up designed to encourage collaboration among government organisations, law enforcement and the private sector.

“We need to bring those hubs together so that it is one alliance that shares information and is protected from any legal implications at the same time,” said Smith.

“Whenever information is shared across organisations, they have an advantage in defeating a cyber criminal. We have seen this firsthand through our own experience sharing our threat intelligence with the information security community. Every day, we feed shared intelligence into our own managed security services so that we can protect businesses from the latest threats.”

In the UK, the government is supporting this approach through the Cyber Security Information Sharing Partnership (CISP) hosted by the national computer emergency response team (Cert-UK).

Although initially focused on organisations that support critical national infrastructure, membership of the CISP is free and open to any UK company with a network to defend.

The CISP – set up in March 2013 – uses a dedicated, online collaboration environment to enable government and industry members to share cyber threat and vulnerability information.

Members are able to share – publicly or anonymously – information on cyber incidents they are seeing to help them help themselves to protect against cyber threats.

Read more on Hackers and cybercrime prevention