The US president, Barack Obama, attended a cyber security summit at Stanford University in Palo Alto, California in February. Around the same time he signed an executive order designed to encourage companies to share threat information with each other, and with the government. However, there were some big players from the tech industry missing from the summit, including the CEOs of Google, Yahoo and Facebook.
So, what is going on? Making companies more secure, and the data of individual internet users more secure, is a laudable objective, right?
An article on Infosecurity Magazine titled “Obama Signs Executive Order on Private-Sector Info-Sharing” explains in more detail the idea behind the policy, and the objections from the tech industry.
Reporter Tara Seals explains that the executive order is designed to increase information sharing so that companies can work both together and with the government. This cooperation is designed to identify cyber attacks and threats quickly, and then come up with fast solutions to protect against them.
President Obama explained his position by saying that all stakeholders need to work together, while urging politicians to keep this out of the political arena by ensuring it does not become a partisan issue.
“Government cannot do this alone. The fact is that the private sector can’t do this alone either,” he said.
He added that despite this, it is usually the government that is first to learn of new threats.
So why didn’t the tech giants turn up to support this? Their position was explained by Apple’s boss Tim Cook. He was at the event but he explained the concerns of the IT industry all come down to privacy. In fact this is more than a mere concern – Cook described privacy issues as being a “matter of life and death”.
He said: “History has shown us that sacrificing our right to privacy can have dire consequences.”
In other interviews Cook has explained that he also thinks that widespread information gathering and sharing would be ultimately ineffective. Take terrorists as an example. Their use of technology to communicate is one of the things governments like the Obama administration want to pick up through information sharing between companies and state bodies. But Cook says the terrorists have their own encryption systems which would mean their communications will continue unseen. And what is the result? Information sharing catches all the private information from “good” people, while missing the information from terrorists.
So despite the executive order, the debate between cyber security and privacy rages on, and it continues to be tense and fractious. Senior Google executive Eric Goose summed it up when he said information sharing is hard to do “once trust is lost”.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”