Cyberspace has become today's "Wild West" and as the country's leader, President Barack Obama has positioned himself as sheriff.
That's how the Associated Press summed up the theme of the president's comments given at the White House Cybersecurity Summit at Stanford University Friday (Feb. 13) in the heart of the country's tech development. But as Obama spoke about the government's responsibility to protect its people, he called up the tech and financial companies to take a joint responsibility in providing consumer protection from cyberattacks.
"Just as we're all connected like never before, we have to work together like never before, both to seize opportunities but also meet the challenges of this information age," Obama said at the summit, according to an NPR report. "It's one of the great paradoxes of our time that the very technologies that empower us to do great good can also be used to undermine us and inflict great harm."
The Cybersecurity Summit followed the president's signature of an executive order designed to promote collaboration of cybersecurity threats in the private sector between the private sector and the Federal government.
"Rapid information sharing is an essential element of effective cybersecurity because it ensures that U.S. companies work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together with the federal government to quickly identify and protect against cyber threats," read a White House news release. "From removing barriers, to helping to improve the delivery of timely and relevant intelligence to the private sector, to advocating for needed legislation, the president is committed to improving information sharing and collaboration with the private sector."
Financial Perspective From The Summit
As a representative from the financial industry, Dan Berger — President and CEO of the National Association of Federal Credit Unions — attended the summit and said the key takeaway from Friday's summit was the declaration that tackling cybersecurity must be addressed from a multi-sector approach.
"From a financial institution's perspective, all the stakeholders up and down the payment ecosystem must cooperate and coordinate. And for those stakeholders that continue to have data breaches, a mechanism or national standard must be put in place to hold them accountable," Berger wrote in an email to PYMNTS. Berger also touched on the importance of having experts and stakeholders under one roof in order to help "further elevate the issue."
"Congress and the administration must create a national standard that holds folks accountable for the costs associated with data breaches. Cybersecurity is everyone's responsibility along the payment ecostream but it only works if all the stakeholders are truly doing their part," Berger wrote.
Speaking toward what role financial industry leaders have in ensuring cybersecurity measures are taken to ensure consumer protection, Berger said cybersecurity measures are entirely about trust. Credit unions, for example, have the national standard known as the Federal Gramm-Leach-Bliley Act, which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Berger believes that is a standard other industries must be held accountable to.
“Trust is the key word," Berger wrote. "As leaders, we must make sure all the stakeholders in the payment ecosytem are investing and implementing similar culture and technologies. Until there is a national standard to hold retailers and merchants accountable, massive data breaches will continue to occur."
Berger said the summit — which was attended by top leaders from the tech, health care, insurance and financial industry — had a strong group of panelists who addressed new technologies for encryption and authentication. He specifically pointed to MasterCard's efforts in the space and spoke about the challenges each industry faces as it aims to tackle cybersecurity. As hacker intelligence develops, so too must the security enhancements designed to combat cyberattacks.
"The technology in this space is moving so incredibly rapidly to try to stay ahead of the bad guys," Berger wrote. "Ajay Banga (MasterCard’s CEO) did an excellent job of describing the combined needs of encryption, authentication and secure payments all while improving the user's experience in the most frictionless way possible."
The Private And Public Sector Clash
Apple CEO Tim Cook was one of the summit's key speakers and the tech leader spoke about "everyone's right to security and privacy." His speech touched on how cybersecurity threats impact more than just financial records and personal data, but also the level of security consumers expect to have without having to sacrifice personal privacy — both of which cyberattacks impact. Apple has clashed with Washington about its new encryption tools for its phones that make it harder for law enforcement to hack.
"If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money," Cook said at the summit. "We risk our way of life. Fortunately, technology gives us the tools to avoid these risks. And it is my sincere hope that by using them and by working together, we will."
Just as Obama called upon the private sector to share more about cyberthreats with the federal government, American Express CEO Kenneth Chenault told The Wall Street Journal that it's up to the government to share with the private sector. That's what joint responsibility means, he said.
“The government needs to aggressively share with the private sector in an appropriate manner the indicators of an attack,” Chenault said.
Outside of the financial and tech sectors, the retail industry that's faced an immense amount of threats just in the last year alone (Target and Home Depot, to name two), the National Retail Federation also shared its thoughts on the summit. Following the announcement of Obama's executive order, the NRF released a formal statement commending the measure for "providing solution-based leadership around the significant threat posed by hackers and other cybercriminals."
"We are encouraged that the administration is pursuing a comprehensive approach and proposing the creation of new Information Sharing and Analysis Organizations, where companies can share information about cyber threats with the government and across sectors of the economy. The executive order is very much in line with what we are already doing to identify, classify and disseminate intelligence on actual and potential cyber threats to more than 150 of the best-known retail brands and companies, large and small. It is an acknowledgement that industries need more flexible and nimble information-sharing platforms to combat cyber threats in the future," the statement read.
The NRF relayed that the retail industry is "committed to safeguarding consumer data" and will work with Congress to ensure a solution is met. The NRF has already been involved in a joint partnership that involves information sharing and includes alerts from private and public entities — including the U.S. Department of Homeland Security and U.S. Secret Service — to alert retailers and merchants in real time to stop cybersecurity threats at the source.
"Over 2,000 alerts have been provided to retailers since its inception," the NRF statement read. "Whether it’s PIN-and-Chip credit cards or adoption of point-to-point data encryption, retailers are leading the fight for stronger cybersecurity."
What The White House Is Saying
The White House issued the following comments on Friday prior to the summit.
"Cyber threats to individuals, businesses, critical infrastructure and national security have grown more diffuse, acute, and destructive. Despite improvements in network defense, cyber threats are evolving faster than the defenses that counter them. Malicious actors ranging from sophisticated nation states to common criminals to hacktivists take advantage of the anonymity, reach, and broad range of effects that cyberspace offers. Because of the interconnected nature of the Internet, no one is isolated from these threats. We are at an inflection point, both domestically and internationally, and now is the time to raise the call for greater collective action."
"Cybersecurity is a shared responsibility. The Federal government has the responsibility to protect and defend the country and we do this by taking a whole-of-government approach to countering cyber threats. This means leveraging homeland security, intelligence, law enforcement, and military authorities and capabilities, which respectively provide for domestic preparedness, criminal deterrence and investigation, and our national defense. Yet much of our nation’s critical infrastructure and a diverse array of other potential targets are not owned by the Federal government. The Federal government cannot, nor would Americans want it to, provide cybersecurity for every private network. Therefore, the private sector plays a crucial role in our overall national network defense. To that end, both the Federal government and the private are announcing key commitments today."
The release from the White House highlighted specific measures from the payments industry that have been implemented since October 2014 when Obama signed an Executive Order to advance consumer financial protection and launched the Buy Secure Initiative. The payments industry initiatives noted include:
- Visa's tokenization commitment: Replacing card numbers with randomly generated tokens for each transaction.
- MasterCard's $20 million investment in cybersecurity tools, which includes the new cybersecurity solution Safety Net, aimed at reducing large-scale cyber attacks.
- Apple, Visa, MasterCard, Comerica Bank and U.S. Bank's commitment to working together to make Apple Pay a tokenized, encrypted service. This includes in the federal payment cards
- Square's educational work with the Small Business Administration to ensure they adopt more secure payment technologies
- The Financial Services Roundtable and the Retail Industry Leaders Association jointly "released two papers to enhance collaboration in the development of technology standards and principles for the development of next generation technologies that minimize the value of payments information if it is stolen or lost."
- American Express is announcing rollout of new multi-factor authentication technologies for their consumers.
- MasterCard, in partnership with First Tech Credit Union, will announce that they will implement a new pilot later this year that will allow consumers to authenticate and verify their transactions using a combination of unique biometrics such as facial and voice recognition.
Who Didn’t Show Up
Just as noticeable as what was said and who said what, was who decided to sit this one out. Apple’s Tim Cook was the only CEO from a top tech company to attend. There was no Mark Zuckerberg from Facebook, Larry Page from Google, Satya Nadella from Microsoft, or Marissa Mayer from Yahoo! They were all invited, of course, but didn't attend. None of them publicly cited reasons for why they weren't attending, but said they were sending other executives in their place, according to a Bloomberg report. One source of potential tension is their position on the National Security Agency spying on users. Internet privacy rights have flared relations between the private and public sectors in recent years, which could have led to the CEOs' absences.
While Obama's talking points about the summit focused on bringing together everyone in the various sectors that attended, the absence of those top CEOs could suggest some of the leaders weren't willing to back the president at the summit. Instead of skipping the event, Cook used the summit as a forum to speak about the need for privacy as the country seeks tighter cybersecurity measures.