Supported by Cylance.

Greetings!

Special Section: breaking news from the President's Cyber Security Summit

THE CYBERWIRE (Monday, February 16, 2015) — We had planned to take today off for the Presidents' Day holiday, but the current US President's Friday cyber security summit in Silicon Valley has changed our minds. We therefore offer this brief account of that summit, the Executive Order signed there, and reactions to both.

President Obama met at Stanford University with industry leaders to outline his plans for enhancing cyber security, to push for more industry cooperation with the Government, and to make a plea for more effective cyber-threat information sharing. The meeting did succeed in bringing serious, senior business leaders together (despite the animadversions represented by the much-noted absence of the Google, Facebook, and Yahoo CEOs). The industry leaders present generally supported the NIST framework, encouraged mutual threat information sharing, and asked for liability protections (especially with respect to information shared with the Government). Industry support for the NIST Framework seemed particularly pronounced.

The President was particularly concerned with threat information sharing, casting it as important to both economic and national security (making the right sorts of soothing noises about security needing to respect civil society, privacy, and civil liberties).

The centerpiece of his appearance was signing an Executive Order, "Promoting Private Sector Cybersecurity Information Sharing." The Order's key elements are:

— Creation of "information hubs," more formally "Information Sharing and Analysis Organizations" or "ISAOs." He envisions these as loci where stakeholders can share information on particular threats in specific economic sectors or geographical regions. The ISAOs would be private and voluntary bodies (and the Executive Order specifies that they can be organized by either for-profit or not-for-profit organizations) that would also establish voluntary standards for their members.

— A directive that the Secretary of Homeland Security will "strongly encourage" formation of ISAOs. The Secretary will also ensure that his Department's National Cybersecurity and Communications Integration Center (NCCIC) to "engage in continuous, collaborative, and inclusive coordination" with the ISAOs.

— Authority for the NCCIC and the new national Cyber Threat Intelligence Integration Center (CTIIC) to share threat data with the ISAOs. Some of the data are envisioned to originate from classified sources, and the decision whether to release such data through the Department of Homeland Security will reside with the Director of National Intelligence (presumably acting through his CTIIC).

— A call to the ISAOs to develop and abide by appropriate privacy protections.

This Executive Order is advisory with respect to the private sector (to be expected, since a President cannot direct the private sector to take action except in extreme circumstances, and President Obama isn't prepared to claim the nation's in extremis with respect to cyber security). The CTIIC's role remains, so far, unformed — there was a sense among those in attendance that the new Center is still in its aspirational stages.

Access to classified intelligence is an interesting piece of the information-sharing plan, but since authority to release such information to the Department of Homeland Security for further sharing rests with the Director of National Intelligence, it's unclear how much will actually change.

The Executive Order's provisions to permit both for-profit and not-for-profit entities to form ISAOs recognizes the various industry information-sharing efforts currently in progress, probably evincing a desire not to unravel work already done.

How the Executive Order works out in practice remains to be seen. The devil, as one knowledgeable observer told us, is here as elsewhere in the details.

Some areas of interest that received relatively little attention at the summit included breach notification practices (or regulations), STEM education, and Computer Fraud and Abuse Act reform.

Apple's CEO Tim Cook was among the most prominent industry leaders to participate. He took the opportunity to underscore the importance of industry's commitment to customers' privacy. This of course highlight's Apple's differences with some elements of the Government (notably within the Justice Department) over encryption, and also with some of Apple's competitors. ("If you're not paying for the product, you are the product," may be what Fortune calls a "cyberchestnut," but it does signal what Apple thinks sets it apart from Google, Facebook, and Yahoo.)

Industry both anticipated and responded to the White House initiatives with a flurry of threat intelligence and information-sharing solutions and consortia. FireEye jumps into this market space (as Facebook did early last week), and the Cyber Threat Alliance announces four new industry members. Reactions come as well from the UK's cyber security sector: Computer Business Review has a rundown. Back stateside, the US Attorney for the Western District of Pennsylvania thinks that anyone interested in seeing cyber information sharing done right should look toward Pittsburgh. (That's not pure hometownism, either — a number of high-profile investigations of Chinese industrial espionage have been developed in the Steel City.)

A local note: blizzards are fast approaching the US Northeast and Mid-Atlantic region. If you're planning to attend any of this week's cyber conferences in the area, please check the conference websites for weather updates.

Dateline Palo Alto: Presidential Cyber Security Summit (25)

Cyber Events (11)

Dateline Palo Alto: the latest from the President's Cyber Security Summit

Executive Order — Promoting Private Sector Cybersecurity Information Sharing (The White House) By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows…

Obama order allows sharing of data on cyberattacks (Baltimore Sun) President Barack Obama, appearing Friday at a summit on computer security, signed an executive order to make it easier for businesses to peer into the government's deep reservoirs of data on cyberattacks — the latest attempt to draw the private and public sectors together against what officials describe as an unrelenting assault on the nation's computer networks…

Obama signs executive order at Stanford cybersecurity summit SPECIAL (Digital Journal) President Barack Obama signed an executive order laying out new ways for corporations to share information on emerging online threats at a cybersecurity summit at California's Stanford University…

Obama Cites Sony Hack in Push for Cybersecurity Measures (Newsmax) President Obama signed an executive order on Friday to encourage private sector companies to share information about cyber-threats among themselves and the federal government, citing the Sony hacking attack as one example of the need for further measures and legislation…

Silicon Valley: Obama calls on corporations to work with government to prevent cyberattacks (San Jose Mercury News) Saying cyberattacks could disrupt critical infrastructure, threaten public safety and undermine the economy, President Barack Obama on Friday called on private corporations to work with the federal government to shore up network defenses…

Obama Calls on US Firms to Help Fight Cyberattacks (Voice of America) Days after a data breach affecting 80 million customers of health insurer Anthem was disclosed, President Barack Obama on Friday urged U.S. firms to join the fight against cyberattacks, which he said were among the greatest threats to U.S. national security…

White House Pushes Industry on Cyberthreat Data Sharing (Financial Planning) As financial advisors face mounting scrutiny from regulators over their cybersecurity systems, the White House is calling for policies that will make it easier for businesses to share information on new and emerging threats…

Obama Wants Tech Firms to Alert Feds to Cyber Threats (PC Magazine) Two years after CISPA, information sharing between the feds and private sector is back with an Obama executive order…

Obama's New Order Urges Companies to Share Cyber-Threat Info With the Government (Wired) President Barack Obama announced a new Executive Order today aimed at facilitating the sharing of information about cyber-threats between private sector companies and the government…

Obama Focuses on Cyber Security, but NSA Remains an Issue (Re/code) President Obama called for companies to voluntarily share more cyber attack information with federal agencies during a first-ever White House summit on cyber security issues, signing an executive action to help pave the way for such sharing…

How Cyber Security Is Like Basketball, According to Barack Obama (Re/code) President Barack Obama used a sports simile to explain why the American government's work to infiltrate other countries and groups around the world isn't hypocritical — especially in light of its condemnation of North Korea's alleged role in the massive Sony hacking scandal of the past few months…

Apple video: Tim Cook on cybersecurity (Fortune) At the White House cybersecurity summit Friday, Tim Cook — as predicted — used the opportunity to contrast Apple's business model with Google's, Facebook's and Yahoo's, using a variation of the old cyberchestnut "if you're not paying for the product, you are the product"…

Why Apple's CEO went to Obama's cybersecurity summit (Fortune) But the CEOs of Google, Facebook and Yahoo did not…

Obama, Tim Cook, Others Debate Sharing Cyber Security Data (InformationWeek) The Obama White House wants more effective sharing of cyber security data between the public and private sectors. Despite some snubs, Apple's Tim Cook spoke at a special summit on the issue…

Obama Needs Silicon Valley on His Team (Bloomberg View) President Barack Obama will reportedly announce a new executive order today that compels companies and the government to share threat information as part of an effort to defend against the sorts of cyber-attacks that crippled Sony Pictures and exposed the Social Security data of 80 million Anthem insurance customers…

Cybersecurity spawns a spreading bureaucracy (Hamilton Spectator) Give a warm welcome to the newest member of the U.S.'s national cybersecurity family, the mellifluously named Cyber Threat Intelligence Integration Center…

Cybersecurity Ambivalent Over Obama Data Summit (Computer Business Review) Industry sceptical about motives and objectives of advisory order…

Obama Cybersecurity Efforts Stir Privacy Debate (Voice of America) U.S. President Barack Obama signed an executive order Friday aimed at encouraging companies and organizations to share more information about cybersecurity threats with the government and each other…

Cyber-Security Executive Order Encourages Companies to Share Threat Info with Homeland Security (Breitbart) At a Stanford University cyber-security summit on Friday, President Obama is expected to announce yet another executive order bypassing Congress, this time pertaining to Internet security…

The Limits Of Cyber Threat Information Sharing (Forbes) For the last several years, corporate computer networks have been under constant attack. Those attacks have grown in number and sophistication — and the consequences of breaches have become more severe. In order to protect themselves against this onslaught, companies need to stay abreast of the constant changes in their attackers' methods. One of the best ways to do this is by sharing information with organizations that face similar challenges. Toward this goal, public-private information sharing has been a cornerstone of US cybersecurity strategy since the Clinton administration. However, efforts are consistently stymied by the understandable private sector secrecy following an incident, weak government incentive and enforcement regimes and imprecise guidelines…

How Companies Can Ward Off the Hacker Hordes (Wall Street Journal) Given the Sony and Anthem hacks, the corporate cybersecurity summit is long overdue…

U.S. Attorney: Pittsburgh a model for Obama's cyber sharing proposal (Pittsburgh Tribune) Pittsburgh has shown the world how government agencies and the private sector can work together to solve computer crimes, U.S. Attorney David Hickton said Friday…

FireEye Inc Announces Global Threat Intelligence Sharing (Bidness Etc.) FireEye announced its new initiative at the White House summit, which will allow companies to leverage Adaptive Defense architectures…

Barracuda, ReversingLabs, Telefonica and Zscaler Join Cyber Threat Alliance as Contributing Members (PRNewswire) McAfee Labs, Palo Alto Networks® (NYSE: PANW) and Symantec (NASDAQ: SYMC), co-founders of the industry's first cyber threat alliance, today announced that Barracuda Networks, Inc. (NYSE: CUDA), ReversingLabs, Telefónica, and Zscaler have joined the Cyber Threat Alliance in its efforts to make united progress in the fight against sophisticated cyber adversaries…

CIA needs just 6 years to release data, not 28 (Politico) The CIA has some good news for a group demanding a copy of the agency's database of nearly 12 million declassified documents: it won't take 28 years to release the set, only six…

Cyber Events

For a complete running list of events, please visit the event tracker on the CyberWire website.

Newly Noted:

Mercury Proposers' Day Conference (IARPA1, Washington, DC, area, USA, March 5, 2015) The Intelligence Advanced Research Projects Activity (IARPA) will host a Proposers' Day Conference for the Mercury Program on March 5, in anticipation of the release of a new solicitation in support of the program.

Coming This Month:

Cybergamut Technical Tuesday: An Hour in the Life of a Cyber Analyst (Hanover, Maryland, USA, February 17, 2015) This hands-on workshop will demonstrate how easy it is for a breach to occur by analyzing a virtualized web server environment. Participants will use open source tools such as port scanners and protocol analyzers to identify security issues and then attempt to exploit the discovered vulnerabilities. Following the hands-on activity, the workshop will conclude with a discussion about how to avoid some of the security failures that were identified. The workshop will be presented by Ryan Harvell of OPS Consulting and Marcelle Lee of Anne Arundel Community College CyberCenter.

Cyber Risk Wednesday: Breaking the Cyber Information-Sharing Logjam (Washington, DC, USA, February 18, 2015) A moderated discussion on challenges and solutions for information-sharing, the Administration's recent proposals for better practices between the private sector and government, and goal-directed approaches to sharing. The event will be accompanied by the release of a report, supported by CISCO, which examines the challenges of information-sharing, the Administration's emerging proposals, along with solutions to breaking the current logjam.

Cyber Framework and Critical Infrastructure: A Look Back at Year One (Washington, DC, USA, February 19, 2015) Last February, the Obama administration rolled out the nation's first cybersecurity standards to protect critical infrastructure. One year later, Dr. Phyllis Schneck, the Department of Homeland Security leader responsible for helping institutions implement the new standard, will reflect on how the nation has improved its protection of critical infrastructure over the last year. We'll discuss the effectiveness of the standard so far, whether security protections are strong enough, and if incentives are attractive enough to induce companies to take on the new standard.

DEFCON | OWASP International Information Security Meet (Lucknow, India, February 22, 2015) Defcon | OWASP Lucknow International Information Security Meet is a combined meet of Defcon and OWASP Lucknow. Defcon Lucknow is a DEF CON registered convention for promoting, demonstrating & spreading awareness regarding the field of Information Security and OWASP Lucknow is a chapter of OWASP Community.

10th Annual ICS Security Summit (Orlando, Florida, USA, February 22 - March 2, 2015) Attendees come to the Summit to learn and discuss the newest and most challenging cyber security risks to control systems and the most effective defenses. The Summit is designed so you leave with new tools and techniques you can put to work immediately when returning to your office. The summit will allow you to learn from industry experts on attacker techniques, testing approaches in ICS, and defense capability in ICS environments.

Cybersecurity for a New America: Big Ideas and New Voices (Washington, DC, USA, February 23, 2015) In addition to featuring keynote remarks by Admiral Mike Rogers, Director of the National Security Agency, this event will convene experts and practitioners from the public and private sector, military, media, academia, non-governmental and intergovernmental organizations for a series of discussion panels and first person "pop-up" style speeches on the wide range of cybersecurity issues that are affecting and infecting everything from personal devices and corporate networks to national defense and international affairs. The focus of the event will be to push past the status quo and instead explore the next generation of challenges, as well as highlight bold, new ideas to face them. CNN is the event's media partner and will provide a live-stream of the event.

Workforce Development Forum — CyberWorks Information Session (Baltimore, Maryland, USA, February 24, 2015) Are you a technology company that would like to actively participate in growing the right candidates for your open IT and cybersecurity positions? Are you a job seeker interested in pursuing a career in IT/cybersecurity who would benefit from business mentorship and hands-on practical work experience? If you said yes to either question please join us at the upcoming CyberWorks information session to learn how you can benefit from this innovative program. CyberWorks is an industry-led, workforce development program designed to help Maryland companies fill their cybersecurity needs with qualified candidates, while simultaneously helping individuals start careers and improve Maryland's economy.

Cybersecurity: You Don't Know What You Don't Know (Birmingham, Alabama, USA, February 24 - 25, 2015) What: Connected World Conference in partnership with University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research (The Center) have teamed up to bring professionals together to discuss security and connected devices. Purpose: Convene the leading industry, government, and academia leaders. Chief Objective: Influence professionals from the most innovative and influential organizations in the world will meet to unravel the relationship between the connected society and cybersecurity.

The Future of Cybersecurity Innovation (Washington, DC, USA, February 26, 2015) The US intelligence community has ranked cyberattacks as the No. 1 threat to national security — more than terrorist groups or weapons of mass destruction. But the military's cyberwarriors fight these battles hunkered over computers, working with strings of code — a laborious process that requires advanced engineering skills. That's why the Pentagon's advanced research arm, the Defense Advanced Research Projects Agency (DARPA), is building a system to give the military instantaneous knowledge of network attacks by displaying them in real-time with rich graphics and 3-D visualizations.

NEDForum: Cyber Network Exploitation and Defence: "Darknet & the Primordial Soup of Cyber Crime" (Edinburgh, Scotland, UK, February 27, 2015) Speakers will cover such topics as: "Fear and loathing on Darknet," (Greg Jones, Managing Consultant, Digital Assurance), "Securing the internet of everything" (Rik Ferguson, Global Vice President Security Research, Trend Micro), and "Is your organisation setup for success in security?" (Patrick Brady, Independent Consultant).

the cyberwire
Compiled and published by the CyberWire editorial staff. Views and assertions in source articles are those of the authors, not the CyberWire or Pratt Street Media, LLC.
The CyberWire is published by Pratt Street Media and its community partners. We invite the support of other organizations with a shared commitment to keeping this informative service free and available to organizations and individuals across the globe.