For those who have been following all the failed federal cybersecurity legislation during the last year, it should come as no surprise that President Obama’s Summit on Cybersecurity and Consumer Protection was a call to Congress to act. Not coincidentally, the Summit was held at Stanford University on Friday, February 13, 2015, exactly one year since the National Institute of Standards and Technologies published the first version of its Framework for Improving Critical Infrastructure Cybersecurity, and two years since President Obama Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directing NIST to establish the Framework.
The Framework consists of scalable standards, guidelines, and practices to help owners and operators of critical infrastructure to manage cybersecurity-related risk.
The Summit received a lot of media attention and was attended by many top executives, such as CEOs from PG&E, MasterCard, Apple, Bank of America, American Express and Kaiser, as well as cabinet members from the Departments of Energy, Commerce and Homeland Security.
Every talk began with a warning about the magnitude and rapid evolution of cybersecurity threats against all targets and the vulnerability of systems and individuals due to our growing interconnectedness. The government speakers consistently advocated for more information-sharing with federal law enforcement and collaboration between private and public sectors to prevent cyber-attacks. The private sector focused more on advances in available secure technologies and Congress’s failure to pass federal legislation providing for consistent data breach procedures and liability protections for information-sharing.
At the end of the morning, President Obama signed the “Executive Order – Promoting Private Sector Cybersecurity Information Sharing.”
The Executive Order seeks to address cyber threats by establishing a framework under DHS for the establishment of broad-based Information Sharing and Analysis Organizations (as compared to existing industry-based Information Sharing and Analysis Centers or ISACs) to be facilitated by the so-called National Cybersecurity and Communications Integration Center.
The Executive Order does not address either federal standards for data breach notifications or liability protections for companies that engage in information sharing—two issues the private sector continues to wait for Congress to resolve. In his remarks, however, President Obama urged companies to implement the NIST Framework, articulated a 30-day notification period, promoted a consumer’s bill of rights, and advocated for liability protections for information sharing, although all of these subjects were touched only very briefly and are now back in the hands of Congress.