Tech and policy leaders convene at Stanford to discuss improvements for consumer cybersecurity

Last year, government intelligence agencies identified cyber attackers as the No. 1 threat to national security, and the threat to consumers is twofold. Hackers routinely breach the safeguards in place to protect private citizens’ identity, medical records and banking accounts. Industries and critical infrastructure face similar pressures, as a few keystrokes can release valuable intellectual property or crumble the electric grid.            

To address this growing concern, tech and policy leaders gathered at Stanford today for the White House Summit on Cybersecurity and Consumer Protection to discuss actions to improve the security of digital information. Cyberterrorism is a shared risk, and the Obama administration is pushing to partner with academics and the private to reduce the threat.

“This is a challenge that will demand a partnership, our governments, industry and universities,” Stanford President John L. Hennessy told the audience in Memorial Auditorium. “This is a tremendous opportunity to work together on these issues, and I have no doubt today’s summit will be incredibly stimulating.”

In the past year, several high-profile companies have been targeted and hacked by cyber terrorists. JPMorgan, Chase, Target and Home Depot have suffered significant attacks. And while the high-profile hack of Sony Pictures’ systems, allegedly by terrorists from North Korea, was embarrassing and bad for the studio’s business, the recent attack of health care giant Anthem highlighted the widespread and serious threat to consumers.

As many as 80 million current and former Anthem enrollees may have had their records stolen by hackers – including Social Security numbers, which were not encrypted.

A call for partnership

A main goal of the summit is to smooth relations between the government and tech companies, which have often resisted government oversight of their troves of user data. At the morning plenary sessions, Cabinet officials and industry leaders encouraged closer partnerships between government and industry.

“In order to incentivize greater industry sharing, we need to pass legislation that provides liability protection for private sector sharing,” said American Express CEO and Chairman Kenneth Chenault during a morning plenary session, “Public-Private Collaboration on Cybersecurity.”

The government needs to share with the private sector in an appropriate manner the indicators of an attack, he said, in order for companies to respond to cyberattacks quickly and with force. These partnerships help industry defend consumer networks against hackers, he said, but some simple changes to current regulations could significantly advance defensive capabilities.

An outdated regulation from the early 1900s prevents American Express from contacting most of its customers by mobile phone to alert them of possible fraud, Chenault noted. Those whom the fraud department is able to text respond in less than 60 seconds, a reaction time that provides a measurable impact on fighting fraud, he said, and reduces annoying charges to consumers. Similar measures make it difficult to protect private medical records as well.

The panel also discussed the serious threat to energy and communication systems, which allow all other infrastructures to function. The energy infrastructure is largely privately owned, and is increasingly vulnerable because of its high degree of remote control and automatic commands initiated by constant data collection.

“If we don’t protect the energy sector, we’re opening all other sectors to peril,” said Elizabeth Sherwood-Randall, deputy secretary of the U.S. Department of Energy.

She also encouraged members of government and the private sector to take advantage of areas where regulations don’t prohibit action.

“We can’t wait for regulations to fight cyberattacks,” said Sherwood-Randall. “We would be perpetually behind the threat if we were to do that.”

At the same time, the panelists agreed that steps should be taken to ensure that industry and government are sharing lessons about data, and not the personal data itself. Consumers need to feel free to live their lives online, they concurred.

“Just because I put all my data on Facebook doesn’t mean I don’t want privacy, that is not a valid argument. I should be able to have a fully digital self without worrying that I’m being spied on,” said Nuala O’Connor, president and CEO of the Center for Democracy and Technology. “At the end of the day, this is my personal data, and it should be protected.”

Easier decisions for consumers

Industries can also make it easier for consumers to protect themselves by standardizing cybersecurity tools, agreed panelists in the second plenary session, “Improving Cybersecurity Practices at Consumer-Oriented Business and Organizations.”

“One of the disturbing statistics that I’ve learned is that more than half of the computers in the world go out with security turned off,” said panelist Renee James, president of Intel. “Those are the kinds of things that we’ve taken steps to improve within our hardware and throughout industry.”

Ajay Banga, president and CEO of MasterCard, pointed out that passwords are a significant weakness in personal security.

“Stop making me have to remember so many things to prove I am who I am,” he suggested. “This password era is gone.”

It’s the worst form of security, he said, because it’s easy to crack based on other personal knowledge, or because people end up writing down passwords that they can’t remember. A more secure and easier to use solution, he said, might involve biometrics or bracelets that continuously generate new identifying information.

“When it comes to the rights of customers and the rights of citizens, it’s important to realize we’re all talking about the same people,” said Apple CEO Tim Cook. “People have trusted us with their most personal information. We owe them nothing less than the best protection that we can provide.”