FACT SHEET: White House Summit on Cybersecurity and Consumer Protection
As a nation, the United States has become highly digitally dependent. Our economy, national security, educational systems, and social lives have all become deeply reliant on cyberspace. Our use of digital networks provides a platform for innovation and prosperity and a means to improve general welfare around the country and around the globe, driving unparalleled growth. But this dependency also creates risks that threaten national security, private enterprises and individual rights. It is a threat not just here in the United States, but one that everyone, everywhere who is connected to cyberspace faces.
On February 13, the President is convening leaders from throughout the country who have a stake in bolstering cybersecurity – from industry, tech companies, and consumer and privacy advocates to law enforcement, educators, and students. Participants will discuss opportunities to spur collaboration and develop partnerships in the cybersecurity and consumer financial worlds to share best practices, promote stronger adherence to security standards, improve cyber threat information sharing, and encourage the adoption of more secure payment technologies.
This Summit comes at a crucial point. The President has been committed to strengthening our Nation’s cybersecurity since the beginning of his Administration and we have made significant progress. Yet, cyber threats to individuals, businesses, critical infrastructure and national security have grown more diffuse, acute, and destructive. Despite improvements in network defense, cyber threats are evolving faster than the defenses that counter them. Malicious actors ranging from sophisticated nation states to common criminals to hacktivists take advantage of the anonymity, reach, and broad range of effects that cyberspace offers. Because of the interconnected nature of the Internet, no one is isolated from these threats. We are at an inflection point, both domestically and internationally, and now is the time to raise the call for greater collective action.
Public and Private Commitments
Cybersecurity is a shared responsibility. The Federal government has the responsibility to protect and defend the country and we do this by taking a whole-of-government approach to countering cyber threats. This means leveraging homeland security, intelligence, law enforcement, and military authorities and capabilities, which respectively provide for domestic preparedness, criminal deterrence and investigation, and our national defense. Yet much of our nation’s critical infrastructure and a diverse array of other potential targets are not owned by the Federal government. The Federal government cannot, nor would Americans want it to, provide cybersecurity for every private network. Therefore, the private sector plays a crucial role in our overall national network defense. To that end, both the Federal government and the private are announcing key commitments today.
The Cybersecurity Framework
In 2013, the President signed an Executive Order on Critical Infrastructure Cybersecurity which resulted in the development of the Cybersecurity Framework, released on February 12, 2014. In taking a risk management approach, the Framework recognizes that no organization can or will spend unlimited amounts on cybersecurity. Instead, it enables a business to make decisions about how to prioritize and optimize its cybersecurity investments. The Framework also offers a flexible benchmarking tool for a wide range of organizations. For organizations that don’t know where to start, the Framework provides a roadmap. For organizations that are already sophisticated, the Framework offers a yardstick to measure against – and to use in communicating with partners and suppliers. Finally, the Framework creates a common vocabulary that can be used to effectively communicate about cyber risk management. The Framework is emerging as an important tool for technologists to communicate with organizational leaders on managing cyber risks. We have been encouraged by industry use of the Framework, and we will continue to promote its broad uptake both within the government and across the private sector. Today, the following corporations are announcing a commitment to using the Framework.
- Intel is releasing a paper on its use of the Framework and requiring all of its vendors to use the Framework by contract.
- Apple is incorporating the Framework as part of the broader security protocols across its corporate networks.
- Bank of America will announce that it is using the Framework and will also require it of its vendors.
- U.S. Bank and Pacific Gas & Electric are announcing that they are committed to using the Framework.
- AIG is starting to incorporate the NIST framework into how it underwrites cyber insurance for large, medium-sized, and small businesses and will use the framework to help customers identify gaps in their approach to cybersecurity.
- QVC is announcing that it is using the Cybersecurity Framework in its risk management.
- Walgreens is announcing its support for the Cybersecurity Framework and that it uses it as one of its tools for identifying and measuring risk.
- Kaiser Permanente is committing to use the Framework.
Today the President is also signing an Executive Order to encourage and promote the sharing of cybersecurity threat information within the private sector and between the private sector and Federal government. Rapid information sharing is an essential element of effective cybersecurity because it ensures that U.S. companies work together to respond to threats, rather than operating alone. This Executive Order lays out a framework for expanded information sharing designed to help companies work together with the federal government to quickly identify and protect against cyber threats. From removing barriers, to helping to improve the delivery of timely and relevant intelligence to the private sector, to advocating for needed legislation, the President is committed to improving information sharing and collaboration with the private sector.
The following organizations will also be making commitments today:
- The Cyber Threat Alliance (including Palo Alto Networks and Symantec, Intel Security, and Fortinet) will announce that its new cyber threat sharing partnership is starting to build best practices and standards consistent with the new information sharing Executive Order.
- The Entertainment Software Association is announcing the creation of a new information sharing and analysis organization that will be built consistent with the new information sharing Executive Order.
- Crowdstrike is announcing that it will form an information sharing and analysis organization.
- Box is announcing that it will participate in the standards-development process for ISAOs, and that it will explore ways to use the Box platform to enhance collaboration among ISAOs.
- FireEye is launching its “Information Sharing Framework,” which allows FireEye customers to receive threat intelligence in near-real-time, and provides anonymized threat indicators
Secure Payment Technologies
In October 2014, the President signed an Executive Order to advance consumer financial protection and launched the Buy Secure Initiative. Today, the following organizations will announce new commitments to promote more secure payment technologies.
- Visa is committing to tokenization – substituting credit card numbers with randomly generated tokens for each transaction – by the end of the 1st quarter of 2015.
- MasterCard will invest more than $20 million in new cybersecurity tools, including the deployment of Safety Net, a new security solution that will reduce the risk of large-scale cyber attacks.
- Apple, Visa, MasterCard, Comerica Bank and U.S. Bank are committed to working together to make ApplePay, a tokenized, encrypted service, available for users of federal payment cards, including DirectExpress and GSA SmartPay cards.
- Square is working with the Small Business Administration to roll out an education program aimed at convincing small business to adopt more secure payment technologies.
- The Financial Services Roundtable and the Retail Industry Leaders Association, on behalf of a partnership of 19 associations, are jointly announcing today the release of two papers to enhance collaboration in the development of technology standards and principles for the development of next generation technologies that minimize the value of payments information if it is stolen or lost.
In order to replace the password as our primary means of security online, we must have new technologies that combine greater security and convenience. This technology moves beyond usernames and passwords to employ multiple security steps to better ensure a person is who they say they are.
Through the National Strategy for Trusted Identities in Cyberspace, the US Government has invested more than $50 million over the past four years to advance this market in partnership with the research and development community and technology firms.
The following companies are announcing new initiatives to advance multi-factor authentication:
- Intel is releasing a new authentication technology that will not rely on a password, but will instead employ other technologies, such as biometrics.
- American Express is announcing rollout of new multi-factor authentication technologies for their consumers.
- MasterCard, in partnership with First Tech Credit Union, will announce that they will implement a new pilot later this year that will allow consumers to authenticate and verify their transactions using a combination of unique biometrics such as facial and voice recognition.
- In September of last year, CloudFlare enabled more than a million of its customers’ Web sites to support Universal SSL–for free. Now, they are taking another step to secure the Web by enabling every CloudFlare customer to support DNSSEC, the open standard for authenticating domain names, by the end of the year.
Credit Score Transparency – A number of leaders in the financial services industry will be making credit scores more readily available to all Americans, improving consumers’ awareness of credit health, and providing them a tool to identify major shifts in their credit score – a key first sign of identity theft.
- In partnership with FICO, Nationstar will join the growing list of firms making credit scores available for free to their customers by the end of the year
Call for Legislative Action
The government and private sector have made significant commitments to advance cybersecurity and consumer protection. While we applaud Congress for successfully passing several pieces of important cybersecurity legislation last year, we still need Congress to pass key cybersecurity legislation. To support that call for action, last month the President sent our updated cybersecurity legislative proposal to Congress.
Enabling Cybersecurity Information Sharing: The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government and enhances collaboration and information sharing amongst the private sector. Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs), by providing targeted liability protection for companies that share information.
The legislation also encourages the formation of private-sector led Information Sharing and Analysis Organizations. The Administration’s proposal safeguards Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared to qualify for liability protection. The proposal further requires the Department of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government’s sharing of cyber threat indicators. Finally, the Administration intends this proposal to complement and not to limit existing effective relationships between government and the private sector. These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.
Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime. The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft, and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. It also reaffirms important components of the Administration’s 2011 cyber legislative proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key law used to prosecute organized crime, so that it applies to cybercrimes, clarifies penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
National Data Breach Reporting: State laws have helped consumers protect themselves against identity theft while also encouraging business to improve cybersecurity. These laws require businesses that have suffered an intrusion to notify consumers if consumers’ personal information has been compromised. The Administration’s updated proposal helps businesses and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and by putting in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.
The Cybersecurity Summit marks a milestone in our Nation’s efforts to strengthen its cyber defenses. It provides an opportunity to discuss what we have accomplished to date and to highlight immediate commitments that the Federal government and the private sector are making to improve the security of cyberspace. However, in cybersecurity, we can never rest on past achievements. Therefore, even as we and the private sector make good on these commitments, we need to keep moving forward. We will continue to focus on strengthening the defenses of our critical infrastructure and government networks, improving our ability to disrupt, respond to, recover from, and mitigate malicious cyber activity, enhance our international cooperation, and shape the future of cyberspace to be inherently more secure. And we look forward to doing this in close collaboration with our private sector partners.