Guest Post: The White House Cyber Summit Was Great, But Questions Remain

Matthew H. Fleming is a Fellow with the Homeland Security Studies and Analysis Institute, a federally funded research and development center serving the U.S. Department of Homeland Security, and an adjunct professor at Georgetown University. Opinions are his own.

Last Friday, the White House held its "Summit on Cybersecurity and Consumer Protection" on the campus of Stanford University in Palo Alto, California. The event featured keynotes from President Obama, Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco, Director of the National Economic Council and Assistant to the President for Economic Policy Jeff Zients, and Apple CEO Tim Cook, among others. Homeland Security Secretary Jeh Johnson, Commerce Secretary Penny Pritzker, Special Assistant to the President and Cybersecurity Coordinator Michael Daniel moderated panel sessions, which included industry leaders, government officials, academics, and members of the advocacy community. The event spanned a full day, with the most high-profile speakers addressing an auditorium of 1500 in the morning, and smaller panels offering thoughts to a select audience of 500 attendees scattered in various meeting rooms in the afternoon. President Obama signed an executive order on “Promoting Private Sector Cybersecurity Information Sharing" on stage immediately following his address, the highlight of the morning session. The new executive order encourages the formation of information sharing and analysis organizations and calls for the development of baseline standards for their operation (e.g., on contractual agreements, technical means, and privacy issues).

The main takeaway of the event was simple, yet important: cybersecurity matters. This was conveyed through speeches, the personalities in attendance, the location (Silicon Valley), and the full-day nature of the summit. Of course, this message should come as no surprise to anyone, following several years of notable cybersecurity incidents, including Target, Sony Pictures Entertainment, and Stuxnet. But for those with lingering doubt, or those viewing cyber as a lower priority, the summit should (could? might?) serve as a wake-up call—though one that highlights a problem (cyberspace is not secure) more than a solution (and here’s what we should do about it).

By most accounts, the event was a success. Media coverage was solid and largely favorable, and segments of the event were broadcast live (benefitting, perhaps, from a slower news day). The vibe for those of us in attendance was excellent, reaffirming our career choice. Indeed, everyone seemed quite happy to be in Palo Alto, including President Obama, whose off-the-cuff comic remarks—interspersed with his prepared speech—were spot on. "I want to go here [i.e., Stanford]," he noted at one point, channeling the views of attendees enjoying the beautiful campus on a 75-and-sunny California day. Credit is due to the organizers, not least Michael Daniel and his staff.

Of course, incidents and summits can reinforce the fact that cybersecurity matters, but they don’t always guide the development or deployment of more secure software or hardware, or supply chains more resilient to the insertion of malicious code or components. President Obama cited the work done by his administration on cyber since taking office, like the Cyberspace Policy Review, Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”) and its sister Presidential Policy Directive 21 (“Critical Infrastructure Security and Resilience”), and the executive order on information sharing signed at the summit. These are all extremely useful—but more needs to be done.

Interestingly, and perhaps not surprisingly, specifics were harder to come by on cybersecurity than one might hope, even at a national-level policy event. The content of the executive order, for example, was referred to almost in passing, despite the fanfare of its being signed on stage at the summit. Other messages seemed to sometimes get in the way. For example, Jeff Zients praised the strength of the U.S. economy for several minutes before turning to cyber. While the nation is grateful for a strong economy, the reference to cyber struck some in the audience as somewhat tangential in content or tone. And for whatever reason, Cybersecurity Coordinator Michael Daniel did not have a prominent morning speaking role.

There was also a (perhaps overblown) buzz around who wasn’t there from Silicon Valley powerhouses and why. Did Marissa Mayer from Yahoo and Eric Schmidt from Google decline to attend in protest due to the fallout of the Snowden revelations? Where were state governors? And the fact that the Department of Homeland Security is facing a shutdown because its funding bill has not been enacted by Congress begs the question: if cyber is so important, why is the agency leading the civilian cyber mission at risk of shutting its doors, save for a skeleton crew of essential staff who might or might not get paid? As with all things cyber, even an engaging, substantive look at the issue was bound to leave some questions unanswered.