What can a president do to fix bad corporate security? It's become an increasingly important question for President Obama, as his administration looks to respond to the growing tide of corporate breaches, from the Sony hack in November to this month's Anthem breach. But so far the answer seems to be, not much.
The new proposals do little to address long-standing criticisms
The president's latest effort is an executive order, announced this morning at a Stanford cybersecurity conference. The order lays out new ways for companies to share information on emerging threats and gives Homeland security more power to keep the shared data secret. The order comes on the heels of the president's new cybersecurity threat-sharing agency and recent threat-sharing proposals in Congress, both of which have met with some criticism in security circles. But the new proposals do little to address long-standing criticisms of federal cybersecurity initiatives, and as a result, it's unclear what practical effect the order will have.
The biggest issue is that the threat-sharing platforms are only valuable if companies use them — and so far, much of the private sector has approached the platforms with caution. The government can't force a company to share data, and getting Homeland Security involved is more likely to scare companies off than invite them in, particularly for any company with international clients. As researcher Adam Shostack put it in response to the new threat-sharing agency, "The world outside the US is concerned that the US spies on them, which means that the new center will get minimal cooperation from any company which does business outside the US." Participation in the new initiative is voluntary, for simple legal reasons, but it's unclear why companies would volunteer.
That's not to say that the new programs are poorly designed, but simply that it's very difficult to fix private-sector security with a federal program. For companies struggling to manage the new wave of digital threats, the best help may still come from outside Washington.