President Barack Obama signed an executive order Friday tasking the National Institute for Standards and Technology to work with the private sector to identify existing voluntary consensus standards and industry best practices and build them into a cybersecurity framework.
The president signed Executive Order 13636, called "Improving Critical Infrastructure Cybersecurity" during the White House Summit on Cybersecurity and Consumer Protection at Stanford University. President Obama spoke following Apple CEO Tim Cook. Many top executives from the internet, banking and security industries were also on the program, which ran all day.
The summit was notable for who did not attend, namely Silicon Valley luminaries like Facebook's Mark Zuckerberg, Yahoo's Marissa Mayer and Google's Larry Page, who reportedly stayed away out of concerns about government surveillance. Other executives from those companies were in attendance.
The executive order mandates the creation of specialized organizations under a single framework that will allow for the flow of communication between the technology, finance, energy, and healthcare industries and the federal government, reported CNET. The Obama administration had previously pushed for a 30-day reporting window for data breaches.
"Government cannot do this alone," Obama said. "The fact is, the private sector cannot do this alone either, as government has the latest information on threats. Today I'm once again calling on Congress to come together and get this done."
Obama's speech came at a time when the losses from the Anthem health insurance company breach could reach $100 million, and a hacking ring has stolen as much as $1 billion from banks located around the world, according to reports.
"We have a lot more work to do to solve these problems, which are causing billions of dollars' worth of loss in our economy each year," Obama said. "We need all of us to work together to achieve what none of us can achieve alone. And it's hard. Some of these issues have defied solutions for years."
Other officials elaborated the administration's plans. For example, Lisa Monaco, a White House security adviser, said a new agency would be created – the Cyber Threat Intelligence Integration Center - to coordinate federal government information about cyber threats, reported JD Supra Business Advisor. The president's plan will delegate the role of information sharing with the private sector to the Department of Homeland Security, rather than the National Security Agency, USA Today reported.
"Hopefully the rules will prohibit the use of the information shared being used for surveillance," Greg Nojime, a senior counsel with the Center for Democracy and Technology, Washington, D.C., told USA Today.
Attendees at the summit were supportive of the President's plan, but some wanted more. Tony Earley, CEO of Pacific Gas and Energy, said that cybersecurity must be "a new Manhattan Project," and include a strong partnership between the government and the private sector, according to JD Supra. Kenneth Chenault, CEO of American Express, said information sharing is "the single highest-impact, lowest cost, and fastest way" to increase security.
The PCI Security Standards Council, an open global forum for the development of payment card security standards, applauded the progress made at the cybersecurity summit.
"Today's productive discussion kicks off a year that will be the most transformative year in our industry's history," said Stephen Orfei, general manager, PCI Security Standards Council, in a prepared statement. "The president's new emphasis on cybersecurity issues–coming after recent high profile attacks and before the U.S. transition toward EMV chip technology later this year–has moved these critical issues front and center on the national stage," he said.
"Today we saw an unprecedented gathering together of organizations like PCI and others in the data security world who are coming together to tackle this ever growing global threat. Leaving here today we should all be challenged to come up with new and creative ways to stop the bad guys. We look forward to participating in and leading that discussion," Orfei said.
"We welcome the Obama Administration and Congress's attention to these critical issues while reminding everyone that no single technology is the answer and today's summit is merely the beginning of the discussion in 2015 on data security. We cannot fall into the trap of thinking there's a silver bullet, there isn't. A collaborative and vigilant effort between government and the private sector is the only way forward. We welcome more information sharing, stronger law enforcement, and believe global alliances and partnerships between the private and public sector are the best path to creating cyber security in the 21st century," he said.
Update 5:45 p.m., Feb. 17, 2015
See this White House statement
See this CNET article
See the PCI Security Standards Council statement
See this JD Supra Business Advisor report
See this USA Today story
See this Washington Post story
See this Atlanta Business Chronicle story
See this eWeek story
Target found negligent in data breach
Retail security still very much under attack
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot breach affects 56M debit, credit cards