[SAN FRANCISCO] President Barack Obama signed a new executive order on Friday that compels companies and the government to share threat information as part of an effort to defend against the sorts of cyber-attacks that crippled Sony Pictures and exposed the Social Security data of 80 million Anthem insurance customers.
He made the announcement during the White House summit on cybersecurity and consumer protection at Stanford University. The decision to hold the summit in Silicon Valley suggests that, in part, the administration wants to be a better partner with the tech industry in the fight against cybercrime.
But the tech industry is ambivalent about a closer relationship with government intelligence agencies, as evidenced by the fact that Yahoo, Facebook and Google didn't send top executives to the summit.
The tech industry's wariness of government involvement predates revelations by former government contractor Edward Snowden, says JJ Thompson, the founder of consulting firm Rook Security. Some of the revealed National Security Agency spy programs, including Prism, collected data from big Internet companies.
Tech companies are loath to share information that "violates individual privacy or that invades civil liberties," says venture capital investor Alberto Yepez. The relationship between tech companies and the government has become more complicated as companies such as Microsoft have waged high- profile legal battles to protect customer data.
Most smart tech professionals know such a partnership is vital. Public companies need information from the government to adequately protect themselves, as people actively working on the Anthem breach can attest: The health-care industry has heavily relied on information from the Federal Bureau of Investigation to understand the scope, severity and consequences of the attack.
Corporate cybersecurity officers are in favor of such real- time collaborative defense, says Bessemer Venture Partner David Cowan, who invests heavily in security startups. He says he agrees with executives and investors who say that "perceived liability" currently stands in the way of true collaboration.
The mechanics of an executive action could alleviate those fears by putting into place basic protections that let companies share information anonymously and protect them from legal liability if they do give the government information - protections similar to those that the president proposed to Congress. An executive order would probably be more limited in scope than legislation, but it could more quickly put protections into place.
No one disagrees that tech companies could be big allies in the fight to protect the country's online infrastructure; most agree that corporate America needs intel from agencies such as the FBI and the Central Intelligence Agency to respond effectively to threats. Thompson says that many companies don't even know they've been breached until the FBI calls and alerts them to suspicious activity.
But data sharing can't happen until tech firms can protect themselves from liability and their customers from mass surveillance that could violate their civil liberties. If the president can't lay down that groundwork, it will be up to Congress to get the job done. That's the sort of thing that really makes me fear for our online safety.