Last Friday, President Barack Obama addressed Stanford students at the White House Summit on Cybersecurity and Consumer Protection, bringing CEOs and government officials from across the country together to discuss how to protect our growing digital economy. In his half-hour speech, Obama affirmed his support for net neutrality, student privacy rights, and governmental cybersecurity measures (cracking more than a few jokes in the process). But perhaps more important than the speech was what Obama did directly afterwards — signing the “Promoting Private Sector Cybersecurity Information Sharing” executive order. The order contains a plan to develop Information Sharing and Analysis Organizations (or ISAOs) around the country with government support, along with plans to bolster the reach of the National Cybersecurity and Communications Integration Center. But regardless of how successful Obama’s executive order is, his plan is not enough to disarm the serious threats to our digital security.
This isn’t to say there aren’t a variety of merits to the plan. It should make it far easier for private companies to collaborate amongst themselves and share information in the event of a security breach. And if Obama (somehow) has his way in Congress over the next few months, there will be a number of other reforms put in place, including cybersecurity accountability measures and a comprehensive “Consumer Privacy Bill of Rights.” Furthermore, any initiative that brings more attention to cybersecurity in a country where nearly half of us have had personal information exposed in the past year and most care little about online security outside of smartphone pin codes and two-step authentication is certainly something to be desired.
The central problem is that Obama’s plan fails to tackle the most important part of cybersecurity: how exactly cooperation between the public and private sector will work. As Obama said in his address, “This has to be a shared mission … Government cannot do this alone. But the private sector cannot do it alone, either.” And Obama’s plan, for all its positive contributions, does remarkably little to facilitate this sort of necessary cooperation from either a policy or a procedural standpoint.
What does it take to get government and business to work together productively in the cyber security realm? Ken Chenault, American Express CEO, made it clear in his panel discussion at Friday’s cybersecurity summit: “What we’re really talking about when we talk about cybersecurity is trust.” The extent to which consumers trust companies like American Express to behave safely, ethically, and respectfully in their online dealings is integral to the companies’ bottom line. Trust between the private sector and the government is integral to internet security. But the fact of the matter is that recent governmental power-grabs, from those revealed in Snowden’s leaks to the more recent situation of government-sponsored spying programs hidden in US products, give private corporations few reasons to trust the government in today’s digital realm.
Obama is aware of the existence of this mistrust. The day after his Stanford appearance, in an interview with Recode’s Kara Swisher, he noted that “the Snowden disclosures were really harmful in terms of the trust between the government and many of these companies.” So, in this post-Snowden world, how do we promote a greater level of trust between the federal government and private companies? Here are two suggestions that can at least lead us in the right direction.
First, we should work to make government more transparent. If companies aren’t able to see how their shared data is being used by the government, what incentive do they have to give it up? More transparency would be a catalyst for cooperation, and would also help ensure customers that companies aren’t betraying them when giving up their data for cybersecurity purposes. Yet in past years, more FOIA (Freedom of Information Act) requests have been denied than ever before, and confidential requests for personal data through the Foreign Intelligence Surveillance Act are on the rise. These things need to change before the government and private sector can cooperate adequately.
Second, government must genuinely respect consumers’ right to privacy. Consumers’ trust that a company will respect their privacy online is critical to its economic success. However, by attempting to crack down on private companies’ protection of their customers’ data, and even at times forcing them to install backdoors to their encryption methods, the Obama administration has hurt consumers and companies alike. And by ignoring the privacy concerns raised by their actions, the administration has further eroded the already shaky trust between business and government. If Obama expects companies to voluntarily share their cybersecurity information and algorithms in the future, it’s important for policies such as these to be discontinued.
To conclude his speech, Obama quoted one of the key philosophies from Google — that, with the help of technology, “the future is awesome.” But I think there might have been a more apt Google catchphrase for him to use: “There’s always more information out there.” When it comes to cybersecurity, it’s no secret that we’ve got a long way to go in learning about and deterring the threats present to our internet today. Merely creating information sharing networks, such as the ISAOs in Obama’s executive order, cannot be enough. Only when we have an attitude of trust and respect between the government and private sectors can the meaningful cooperation necessary for a more secure internet exist. And if we can’t address the concerns of transparency and privacy that have held back this trust for so long, the future may be a very un-awesome place indeed.
Andrew Ntim is a freshman studying public policy.