President Obama last week took executive action on cybersecurity, but lawmakers say the steps merely lay the “foundation” for a long-term fight against hackers, and analysts argue that the federal government has moved too slowly in addressing 21st-century threats.
Mr. Obama’s order, signed Friday during a White House cybersecurity summit at Stanford University, calls for greater cooperation between the government and the private sector on cyberthreats and makes it easier for federal agencies to share relevant, classified information with companies. The move comes on the heels of several high-profile hacks in major industries, including this month’s data breach at insurance giant Anthem Inc. and last year’s cyberattack on Sony Pictures.
The White House argues that neither the government nor the private sector can adequately respond to such attacks on their own, and wants to establish a framework for pooling resources and working together.
“This has to be a shared mission. So much of our computer networks and critical infrastructure are in the private sector, which means that government cannot do this alone,” the president said at the Stanford summit. “But the fact is the private sector can’t do it alone, either, because it is government that often has the latest information on new threats. There is only one way to defend Americans from these cyberattacks — that is through government and industry working together, sharing appropriate information as true partners.”
Analysts say Washington for years has tried to get a handle on cybersecurity with minimal success, and key lawmakers agree.
Sen. John McCain, Arizona Republican, said in December that countless Capitol Hill efforts to address cybersecurity have yielded little result.
“I’ve been to more meetings on cyber than any other issue in my time in the Congress with less accomplished than any other,” Mr. McCain told CNN as the extent of the Sony hack was coming to light.
Indeed, Friday marked 15 years since President Clinton hosted top tech CEOs at the White House for a meeting on cybersecurity, and many of the problems discussed at that gathering have not been resolved.
“We keep trying to solve the problem the old-school way, and clearly that is not working,” said Theresa Payton, CEO of cybersecurity consulting firm Fortalice and the White House’s chief information officer under President George W. Bush from 2006 to 2008.
Ms. Payton said government and private industry remain too reactive and focus too much energy on responding to cyberthreats as they emerge or on cleaning up data breaches after the fact.
Instead, she said, it’s important to deal with cybersecurity at its root causes. Ms. Payton is urging companies to rethink the types of information — such as Social Security numbers — they collect and store.
Limiting the amount of personal and financial information that could be accessed by hackers, she said, would make data breaches less damaging.
“We keep focusing on after the horse has the left the barn,” Ms. Payton said. “We need to be talking about it upfront. Let’s change our mindset. What data do we collect?”
Lawmakers, including key Republicans, applauded Mr. Obama’s executive actions but say they are merely starting points.
“The president’s actions today are not a complete solution, but do help prepare a policy foundation on which Congress can build a robust legislative strategy to solving the data security challenges American businesses face,” said Sen. Jerry Moran, Kansas Republican and chairman of a Senate Commerce, Science and Transportation subcommittee on consumer protection and data security. “I hope the president will keep his commitment to work with Congress to align incentives for American businesses to protect themselves and consumers.”