Top Obama Administration Officials, Law Enforcement Reach Out at RSA Conference

loretta lynch at RSA

Attorney General Loretta Lynch addresses RSA Conference 2016

SAN FRANCISCO—Many of the Obama administration’s top brass are here in force, addressing some 40,000 practitioners from every part of the technology and information security industry at the annual RSA Conference. Set against the backdrop of the ongoing fight over between Apple and the FBI encryption and backdoors, the tension ebbed and flowed during sessions with Attorney General Loretta Lynch, Secretary of Defense Ashton Carter, and Admiral Mike Rogers, U.S. Navy Commander, U.S. Cyber Command, and director of the NSA. While many speakers will not address the issue directly, the subtext is clear throughout the show, particularly as the public battle brings considerable interest to the privacy and security issues the RSA has centered on for 25 years.

Indeed, in his keynote address, RSA President Amit Yoran called law enforcement’s current stance on encryption “so misguided as to boggle the mind.” Brad Smith, president and chief legal officer of Microsoft, chimed in as well, asserting that we cannot keep people safe in the real world unless we can keep them safe in the virtual world. He lauded Apple and pledged that the tech giant would stand with Apple in its resistance.

Ash Carter at RSA

Secretary of Defense Ashton Carter in Conversation with Ted Schlein of Kleiner Perkins at RSA

While the gravity of the issue and the massive potential impact for many in the sector are boggling many minds here, the administration officials’ sessions also offered more broadly positive comments for businesses outside the tech sector. The conciliatory tone Lynch and Carter often struck centered on the critical need for partnerships between technology and government. They tried to emphasize the ways the administration is reaching out to private entities, both within Silicon Valley and across corporate America at large.

According to Sec. Carter, for example, the United States Cyber Command has three core missions: defending the Department of Defense’s network; helping American companies, the economy and critical infrastructure; and engaging in offensive cyber missions. The second is a key pillar, he said, as the DoD must keep in perspective that the strength of American entities is the strength of the nation. From threat intelligence to the Defense Innovation Unit Experimental he announced yesterday, to be helmed by Google’s Eric Schmidt, Carter believes there is considerable need for industry to engage with government on cyberrisk, and both parties have valuable assets to contribute. “Data security is a necessity, and we must help our companies harden themselves,” Carter said. Indeed, he wants both help for and from the industry. In closing, he said, “We are you. You pay us. We represent you and our job is to protect you, and we’d love to have your help.”

He also noted that the DoD is trying to learn a bit about managing its cyberrisk from the commercial sector’s best practices. “We do grade ourselves and we’re not getting good grades across the enterprise,” Carter told reporters Wednesday, according to Defense News. “I have these meetings where I call everyone in and we have these metrics which tell us how we’re doing [and] if you don’t score well, that is evident to the Secretary of Defense at those meetings.

“We don’t assume for a minute that we’re doing a perfect job at this,” he added. “That’s the whole reason for me to be here and the whole reason for me to be engaging with this community here at this conference.”

Carter also announced that the Department of Defense will be hosting “Hack the Pentagon,” a bug bounty program offering white hat hackers cash for finding and reporting vulnerabilities in the Pentagon’s websites. Many companies have been offering these programs to try to discover their exposure in a controlled setting, without the risk of reputation damage, personal information exposure and business interruption that accompany an unknown hacker finding them instead. Carter called these a “business best practice” to gauge preparedness.

Federal law enforcement also has a notable presence at RSA and is making a pronounced effort to reach out to businesses regarding cyberrisk, threat intelligence, and managing a cyberattack. Indeed, in one session Tuesday, panelists from the Department of Homeland Security, FBI and the White House urged a call to action for businesses to get serious about proactively building bridges with law enforcement and to make use of the many resources the administration is trying to activate to help private industry fortify against cyber threats. The government is working to make it easier for companies to turn to it for help, they said, and attitudes are shifting to more consistently recognize and respect victimized businesses and minimize business interruption.

Some in the audience expressed skepticism, such as one man who seized upon the Q&A portion of a session on government departments’ specific roles in fighting cyber criminals. He asked how the government can be trusted to help industry when it cannot protect itself. But corporate entities should be taking note, particularly of the services available. While many hesitate to share threat intelligence or even successful attacks, Eric Sporre, deputy assistant director of the FBI’s cyber division, stressed that FBI Director James Comey has made it a directive for FBI field offices to develop relationships with local businesses and to treat businesses as crime victims, not perpetrators. In responding to attacks, he noted, the Bureau sometimes even brings in victim services to holistically approach aiding in the investigation and recovery process.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, also highlighted the preventative measures his department offers companies, including personal risk assessment services. In some cases, chief information security officers and other executives engaged in cyberrisk management functions have been getting DHS assessments, using them as a tool to drive investment or otherwise sell cyber upwards with the board or C-suite of their organizations.

Key Takeaways from the White House Summit on Cybersecurity

Stanford University, Feb. 13, 2015

It was an honor to attend the White House Summit on Cybersecurity and Consumer Protection and I applaud President Obama’s efforts to bring together an impressive group of leaders across a broad range of industries, government and law enforcement officials, and consumer and privacy advocates to discuss cybersecurity. This is an issue that affects us all and clearly has no borders. While there were several core themes discussed throughout the day, three key takeaways are of particular interest to private industry:

Public-Private Collaboration is Critical
The overarching theme presented by the White House was how to boost the collaboration between companies and agencies in order to combat hackers. The announcement in the days preceding the Summit of the new Cyber Threat Intelligence Integration Center (CTIIC) was just a first step. As a further validation of the importance and urgency on behalf of the White House surrounding the issue at hand, at the Summit President Obama signed an Executive Order directing the creation of Information Sharing and Analysis Organizations (ISAOs) which will enable companies and the government to share classified cyber threat information. Only with an ongoing sharing of threat information between the government, including the Department of Homeland Security and the Federal Bureau of Investigation, and companies across industry groups, will we be successful. With much of the order voluntary, companies across all industries are also being asked to step up to the table now to not only share threat information but to establish best practices within their organizations in order to protect their constituencies in the future. This too is critical, since the maintenance of best practices is closely tied to a company’s ability to get cyber insurance.

Understanding Vulnerabilities is Key to Improving Best Practices
While the need to focus on the security systems operating behind consumer payment systems in order to make it harder for hackers to steal information is absolutely critical, and Apple CEO Tim Cook was quite persuasive on this point, to stop at payment systems alone would not solve cyber hacks. In order to enhance consumer protections online, single factor authentication, or the password as the primary form of security, is a dated practice that should be replaced with more secure technologies. Companies also need to be mindful that criminals can breach a business’ defenses in any number of ways – directly through company networks and also indirectly through the network of vendors and third party service providers. What is needed is a fuller understanding of all the possible threats, malicious actors and the broad range of tactics those actors will employ. Across all industries, companies are facing a highly complex and constantly evolving threat environment with new attackers and attack methods to be wary of in order to protect their partners, clients and customers.

What Comes Next is Even More Meaningful
While it is essential for the United States to take a leadership role on this important issue, with guidelines and processes for internal consumption, we cannot merely look inward. We are living and working in an increasingly interconnected and globalized environment, and that environment also includes criminal elements. Cyber threats from foreign countries, such as Russia, China and North Korea, keep growing. Sharing information alone won’t stop them. The next steps from our government in protecting our nation’s business must be even more meaningful. We urge cooperation with international law enforcement agencies to help protect companies from foreign-based threats and to help make significant progress in this area.

What the 2015 State of the Union Means for Risk Managers

state of the union 2015

Last night, President Obama delivered the annual State of the Union. Unsurprisingly, the speech covered a variety of topics ranging from foreign affairs to civil rights to climate change. While these issues may ultimately have little impact on the insurance industry or risk management, there were two topics raised that could be of significant interest.

The first relates to tax reform:

“As Americans, we don’t mind paying our fair share of taxes, as long as everybody else does, too. But for far too long, lobbyists have rigged the tax code with loopholes that let some corporations pay nothing while others pay full freight. They’ve riddled it with giveaways the superrich don’t need, denying a break to middle class families who do,” Obama said.

For the past few years, the Obama administration’s annual budget proposal has included a measure that would deny a tax deduction for certain reinsurance premiums paid to foreign-based affiliates by domestic insurers. While the administration and some members of Congress deem this deduction a “loophole,” it is actually a commonly used and effective risk management tool. Doing away with this particular “loophole” would force the industry as a whole to reduce the size and scope of its U.S. offerings. A previous economic impact study found that this proposal would reduce the net supply of reinsurance in the United States by 20%, thus increasing prices by $11 to $13 billion annually for the same coverage. If Congress does take up comprehensive tax reform, this is certainly an initiative that many in the industry will need to keep an eye on.

The other issue is cybersecurity:

“And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe,” the president said.

Cybersecurity and the management of cyberrisks is certainly one of the hottest topics in the industry. While it remains unclear what proposed legislation will look like, we will almost certainly see at least one major piece of cybersecurity legislation introduced in the next few months. Previous efforts have focused on information-sharing. With the number of attacks and damage inflicted only increasing, however, it is quite possible that new legislation may be even broader in scope.

It is also important to note that simply including something in a State of the Union address does not always translate into real action. It is quite possible that tax reform will get tabled again as various factions are unable to agree. It’s also possible that Congress will be unable to come up with a cybersecurity bill that achieves many of its goals without undermining the privacy or personal security of individuals. It is, however, an overview of the administration’s priorities for the coming year, and that does still carry some weight.

New Preliminary Cybersecurity Framework Champions Risk Management

Cybersecurity

In February, President Obama issued an executive order instructing the Commerce Department to lead a task force of security experts and industry insiders to develop a voluntary framework to reduce cyberrisk. Last week, the National Institute of Standards and Technology officially released an initial draft of the cybersecurity framework and announced a 45-day open comment period for public input.

The full Preliminary Cybersecurity Framework can be viewed here on the NIST website. After the review period and subsequent revisions, a more complete version will be released in February.

Risk management is a primary focus of the new framework, from the language used to analyze potential exposure to express endorsements in the policy itself. According to a press release, “The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.”

Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher, who was tasked with overseeing development of the framework, emphasized the risk management as a critical component of strengthening national infrastructure in line with the president’s executive order. “We want to turn today’s best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business,” Gallagher said. “The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies.”

The framework outlines key functions that should organize cybersecurity activities: Identify, Protect, Detect, Respond and Recover. These functions are designed to aid the risk manager in evaluating, communicating and fortifying against cyberrisks. The document even suggests itself as a potential opportunity for risk managers to seize the opportunity to get involved in proactive cyberrisk strategy. It reads, “The functions also align with existing methodologies for incident management, and can be used to help show the impact of investments in cybersecurity.”

Authors also added the following visual to highlight the critical role of risk management at every level of suggested implementation:

Risk Management in Cybersecurity Framework

In a blog post, the White House encouraged businesses to evaluate the initial framework and their current cyberrisk position, and to consider their cyber risk appetite in the form of a projected target state for cybersecurity.