I was fortunate to attend last week’s Silicon Valley Cyber Security Summit, where I spent 4 hours indulging my obsession with this subject while unfortunately increasing my level of paranoia. The panel discussions were excellent, bringing perspectives from security technology providers, pundits, the Dept of Homeland Security, two Congressmen, two Senators and execs from the outstanding Silicon Valley Leadership Group [#SVLG].
The first discussion centered around progress to date with Obama’s Executive Order (EO) issued in early 2013, and the potential for more formal cyber policy or regulation coming from the Congress.The cybersecurity problem offers a rare opportunity for the public sector to lead in a critical technology domain, but all of the day’s speakers emphasized the requirement for public-private partnership in addressing the challenge. There has actually been some good news around the Cybersecurity Framework, an outcome of the EO being driven by NIST, in which participation is voluntary but to which apparently 3000 private sector representatives have actually contributed. While governments actively push such information to the citizenry, companies need to share a lot more about what’s happening to them, what they’re learning and how they’re defending themselves – competitive concerns are keeping this constrained to date. Still, some progress is being made.
One of the biggest eye openers was the claim by several speakers that the public is just not engaged in this issue and therefore practices poor digital ‘hygiene’. I found this surprising and uncanny in the aftermath of the Target and Nieman’s attacks last Fall, and the August 5 revelation that a Russian crime ring had stolen including 1.2 billion user name and password combinations and more than 500 million email addresses. WAKE UP PEOPLE – this is serious stuff!
Senator Saxby Chambliss (R-GA) extolled the virtues of his and DiFi’s Cybersecurity Information Sharing Act bill, which made it through the Intelligence Committee but still faces stiff opposition from privacy advocates. While speaking at length about the urgency of the issue, Sen. Chambliss then went on to say that Congress would only be working a whopping 3 weeks between now and the November Election!!!!! Two weeks for the Senate, one for the House. Wish I could get paid with great benefits for not working. Post-election will be a lame duck December, then the Freshman class must be educated on the issue. And then of course there were the references to don’t overregulate, etc. that will expose the usual partisan split. Bottom line, passage of a bill is unlikely anytime soon.
Everyone agreed that what would spur Congressional action would be a real crisis – a big attack that causes some real national pain. Let’s hope we don’t have to endure that to get something meaningful . It is also possible for Fed agencies like HHS, DHS, the SEC and others to impose cyber regulations within their domains – some are already doing so. And States are stepping up too, with a plethora of unique policies that will be nigh impossible to follow if you happen to do business nationally. Beyond the US, each country will have its own policies as well.
For me, the core issue behind all of the discussion was TRUST – people don’t trust the government, businesses don’t trust each other OR the government, the government doesn’t trust other governments … One speaker even joked that in the Silicon Valley, the NSA is seen as an ‘advanced persistent threat.’ Everyone is waiting for something BIG to happen, which it will sooner or later. Let’s hope later.
My next post will take up the 2nd worry point – the lack of a talent pool to address this mess!