Opinion: White House Summit Missed a Larger Opportunity on Cybersecurity

The White House Summit on Cybersecurity and Consumer Protection at Stanford University was a very good event with meaningful outcomes. But it could have been much more.

by / February 14, 2015

President Obama at Stanford University

President Obama at Stanford University, all photo credits to White House livestream

The perfect stage was set last Friday for the first-ever White House Summit on Cybersecurity and Consumer Protection. After a series of high profile breaches from companies such as Anthem, Sony and Target had grabbed global news headlines over the past year, the stakes were never higher for the future of cyberspace, personal data privacy, stopping cybercrime and securing online commerce.

Most top U.S. corporate executives were there. The venue at Stanford University was superb, and a global audience was eagerly watching via an Internet livestream. The warm-up acts ranged from somewhat predictable to very good, included memorable family stories from Homeland Security Secretary Jeh Johnson and thoughtful words on the importance of personal privacy from Apple CEO Tim Cook.

Apple CEO Tim Cook

And then came the moment everyone was waiting for. The President of the United State of America gave a solid keynote address that few from either end of the political spectrum will likely criticize. In a campaign-like atmosphere before supportive students and vetted high-tech industry leaders, President Obama appeared relaxed, articulate and even funny.

The President chronicled our brief Internet history, the good and evil extremes in the virtual world and the online threats we face in cyberspace. He said we must do more to build online trust. After offering information sharing next steps for the public and private sector to follow, the President concluded by signing an Executive Order (EO) on cybersecurity information sharing.

And yet, despite all the fanfare and well-delivered speeches and interesting panels, this Summit did not rise to the level of an historic breakthrough. The people I spoke with were hoping for more. President Obama missed a unique opportunity to rise above our current breach headlines and cybersecurity problems to make a special mark on cyberspace history for the 21st century.

Why do I say a larger opportunity was missed? Most Americans didn’t even notice that the event occurred. There were no famous lines causing personal introspection for smartphone users. The President, with his outstanding oratory skills, could have given us a heart-felt appeal for individual online changes.

As a life-long security professional and an author with a passion for online safety, Internet integrity and cybersecurity, watching the event online left me anticipating more.

High Expectations for More

President Obama and his cyber team clearly understand the rising economic, military and societal challenges we face online. Before the President spoke, his national security team delivered an articulate picture of the significant dangers we face. President Obama’s State of the Union Address and recent speeches and press releases offered new cybersecurity proposals that should have bipartisan support in Congress. 

The President has also made several bold (but much more partisan) proclamations on other topics like Cuba and immigration reform. His team knows what will get attention in a cold, snowy Boston.

Leading up to Friday, the groundwork was set for an unprecedented speech on the future of securing cyberspace. This could have been a moment that historians placed just below Ronald Reagan’s famous words: “Mr. Gorbachev, tear down this wall!” Or, the President could have delivered a clear goal for our connected future that might have rivaled John F. Kennedy’s goal of “landing a man on the moon and returning him safely to the earth by the end of the decade."

And yet, there was no Monroe Doctrine for the Internet or Obama doctrine for 21st Century Cyberspace. No attention-grabbing answer to the relentless rise in data breaches. No rallying cry for technology companies. No bold Winston Churchhill moment promising, “We shall fight them (in this case bad-actor hackers) on the beaches…, we shall never surrender.”

What could the President have said?

The President had the opportunity to rise above the current cyber battles and data breach headlines to paint a headline-grabbing vision for the next century for America’s young people in a digital world. Why not boldly challenge those Stanford students and other watching to stop cyberbullying or become ambassadors for good in cyberspace? We missed lines like, "...What can you do for your country - given the new front lines in securing cyberspace?"

I would not go this far, but some might even borrow words from Enrique Oti and warn the world against cyberattacks against the United States Government or U.S. companies. Mr. Oti urges that, ”A hacker that targets the United States on behalf of an adversary should live with the fear that at any moment they may be snatched from their home or killed with an airstrike.”

The President rightly talked about how the World Wide Web is still young. He described the innovations, advances and opportunities ahead. He clearly stated our cybersecurity problems, and he did repeat four principles for combatting cybersecurity. Nevertheless, there were no passionate pleas other than the truth that the public and private sector need to work together to share more information.

Suspicions Confirmed   

Beyond my personal views or the opinions of select security experts, there was plenty of media evidence that this Cybersecurity Summit at Stanford did not hit home for most Americans.

The day after the event, which happened to be Valentine’s Day, I was looking for coverage from leading media outlets. I checked the news headlines at USA Today online. Nope – no mention of the speeches from Stanford as one of the nine top stories listed. Meanwhile, here were the “5 things you need to know this weekend” that received more attention than the White House Cybersecurity Summit:

1.       'SNL' turns 40 and is bringing out the big guns

2.       NBA All-Stars take it to the court

3.       West Coast ports halt in labor dispute

4.       Snow 'hurricane' to strike New England.

5.       Airlines offering free chocolate (for Valentine’s Day)

In case you think this lack of post-event news coverage was unique to USA Today, no Summit on Cybersecurity stories were found on the front pages of the Washington Post, NY Times or Wall Street Journal on Saturday.

[Additional note added on 2/15/2015: there were several pre-summit background cyber stories in the news. Further, Sunday papers around the country (two days after the event) were not reflecting on the event in their editorial or weekly wrap-up columns.]

True, all these papers did have small articles on the day of the event. But there no bold quotes, no special headlines to remember for decades, no personal computer solutions to act upon or heart-felt interviews from students who were inspired or even memorable answers that could rival the front page coverage from recent data breaches. Remember that coverage of the recent Sony breach lasted for weeks.

In contrast, the New York Times did run this major breach story on their front page on Valentine’s Day.

Even technology magazines like Computerworld, eWeek and others passed on headlines from the event. Most tech magazines did run stories about the White House Summit on Cybersecurity, but coverage was buried deep within their websites.  

On The Contrary - Many Good Things

No doubt, after reading this summary, some readers will think I was expecting too much. There were many very good results flowing from this inaugural event. Here are a few of the positive things that did happen.

·         First ever cybersecurity event that featured CEOs and top corporate executives talking about cybersecurity.

·         Unprecedented cybersecurity event was led by a sitting President - a first.

·         Excellent panel discussions on Balkanization of the Internet problems internationally.

·         Many commitments from companies on steps they will be taking on cybersecurity.

·         White House moved discussions forward with tech companies on privacy. But the Summit also exposed continued privacy fears by tech companies.

·         Better authentication techniques are needed, and they were discussed.

·         Great panel discussions on timely topics discussing complicated technological topics.

·         Apple CEO Tim Cook announced that Apple Pay will be accepted at US Parks and Social Security.

·         Overseas coverage. The BBC led with, Cybersecurity: Tech firms urged to share data with US.   Here’s an excerpt from that article:

President Obama: ''We have to make cyberspace safer''

Private tech firms should share more information with government and with each other to tackle cybercrime, according to US President Barack Obama.

"We have to work together like never before" Mr. Obama said during a speech at a White House cybersecurity summit hosted in Silicon Valley.

The issue has become a White House priority since a widely publicized hack of Sony Pictures at the end of 2014.

But some key tech firms are concerned about government surveillance…

Final Thoughts

One way to judge the core messages coming out of significant U.S. events is to examine overseas media coverage from major news sources. The BBC.com excerpt listed above got it right, in substance and tone.

For security industry insiders, there was plenty to be happy about. Most people in our technology and security circles will be glad that the event occurred at all and that cybersecurity is now getting more serious global attention at the top management levels.

But the reasons for all the attention on cybersecurity right now are not good. We are losing too many corporate and government cyber battles. There are no easy answers to solve our complex cyber challenges. The new Presidential Executive Order should help, but it won’t be enough.

What is needed is a paradigm shift in this nation regarding online security, and I’m concerned that it didn’t happen on Friday. I doubt that President Obama will have another Cybersecurity Summit of this magnitude before he leaves office – unless a major cyber-emergency unfolds in the next two years. The cyberdefense baton will likely be passed to the next President, and we will hopefully make incremental progress on cybersecurity between now and early 2017.

Nevertheless, the Obama Administration has done more than any past President or other world leader on this issue – partially because of the unprecedented data breaches and technology changes that have occurred over the past six years. As our President rightly said, our nation’s cyberdefense remains a bipartisan priority.

This blogger hopes that Congress and the President can come together and truly add incentives to the sharing of threat information between the public and private sectors.

Bottom line, despite very good speeches, plenty of photo opportunities and respectable outcomes, Friday’s White House Summit on Cybersecurity and Consumer Protection could have been much more. The event could have been a historic moment that altered the trajectory of cybersecurity, cyberethics, personal privacy and even the future cyberspace.

In my view, the event missed that higher mark.  

 

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso