In a panel on Friday afternoon at the White House Summit on Cybersecurity and Consumer Protection, the Chief Security Officers of five Silicon Valley companies argued for user-safe technology and warned of the cybersecurity challenges faced by small and medium businesses.
Moderated by Amy Zegart, a senior fellow at the Hoover Institution and the co-director of CISAC, the discussion centered on technical ideas for a secure future.
Safety, not security
A guiding theme for the event was finding ways to motivate behavior that promotes cybersecurity, especially for consumers.
Scott Charney, Microsoft’s corporate vice president of trustworthy computing, advocated for technologies that prevent users from having to become security experts. For example, terms of service agreements have shown that users will click ‘OK’ on almost anything, so the burden placed on consumers should be minimized.
Yahoo Chief Information Security Officer Alex Stamos agreed that greater attention has to be paid to the user.
“We’re really good at building secure products, but that’s not the fight anymore,” Stamos said. “We need to build safe products.”
Melody Hildebrandt, Palantir’s global head of cybersecurity, argued that there isn’t enough information for consumers to make informed decisions. Cars have safety ratings and food has nutritional info, she noted, but Internet-facing products lack an analogue.
“Most consumers don’t know the questions to ask,” Hildebrandt said.
Small and medium businesses
The panelists claimed that small and medium businesses face an uphill battle when it comes to cybersecurity. Stamos presented the recent Sony Pictures Entertainment hack as an example, arguing that SPE operates as a relatively small subsidiary of Sony.
Large corporations like Microsoft, Google, Yahoo and Facebook — each represented on the panel — are at an advantage because their cloud computing infrastructures require centralized security skills and resources. Facebook Chief Information Security Officer Joe Sullivan said that smaller businesses would be safer if they utilized cloud services and enabled optional security features.
The growing requirements of cybersecurity can also represent a barrier to entry for new companies. While Paypal grew up with relatively inexperienced hackers in the earlier days of the Internet, Stamos explained, new mobile payment apps are immediately confronted with experienced adversaries.
When the discussion turned to which technology would follow two-step authentication, Stamos asserted that “passwords are done” and Charney pointed to hardware-centric forms of authentication. Eric Grosse, the Google vice president for security engineering, brought along smart cards that he said he used as stocking-stuffers for his family over the holidays.
Zegart ended the event by asking each panelist to offer cybersecurity advice to CEOs. Hildebrandt focused on the importance of preparation.
“You’re going to be breached,” Hildebrant said. “Do you have a plan for it and a plan you’re confident in?”
Sullivan concluded by emphasizing the importance of leadership from executives.
“How a company approaches security is shaped from the top,” he said. “When the tone from the top is right, the company makes the right risk decisions repeatedly.”
Contact Joseph Beyda at jbeyda ‘at’ stanford.edu.