Tomorrow the White House is hosting a summit at Stanford University on the important topic of cybersecurity. Silicon Valley is a fitting backdrop and there will be high level participation from both CEOs and leaders from many of the companies who have long been leading cybersecurity advancements. We welcome this engagement and hope it will expand the dialogue to reinforce the notion that we all have a role in promoting cybersecurity in our Jetsonian world.
I suspect we’ll hear from experts that when it comes to tackling cybersecurity, there is no silver bullet. For every new defense, there will be an adversary bent on breaching it. The beauty of technology and the Internet—that technologies and business models constantly evolve—means that targets, and attack methods, will become more advanced too.
As our world becomes more connected and reaps the benefits that come from it, we also see the threat becoming greater and more persistent, and constantly changing, and that is why the technology continues to evolve in tandem. For the tech sector, we are improving cybersecurity in two distinct and important ways: via the products and services we make, and the cybersecurity risk management practices we employ and promote.
Our goal is managing our risks and becoming resilient. Our efforts aim to reduce the effectiveness of attack methods, and we invest in technology, processes, and education to eliminate human error as much as possible. That’s because some of the most high profile cases over the past several months have shown how criminals are exploiting human weaknesses or mistakes made by users.
The reality is most security incidents involve some kind of human error: use of weak passwords, an employee clicking on spam, inadvertently downloading malware that hijacks a computer, or exploiting inadequate network management. Making security the default norm, and easier to use, should be the ultimate goal of our policymakers.
We are pleased that President Obama and his team understand that. One year ago today the Framework for Critical Infrastructure Cybersecurity (Framework) was released by the National Institute of Standards and Technology (NIST) to help individual organizations manage their cyber risks while collectively strengthening our nation’s cybersecurity. It underscores why the best approach is a system in which individuals, businesses, and organizations are empowered to manage their own cybersecurity risks.
The government can also play a key role through efforts to deter, investigate, and prosecute cybercrime and pursue research and development that can help spur new advances. There is also an opportunity to advance cybersecurity threat information sharing to protect and defend networks in a way that protects privacy and offers adequate legal liability protection for businesses.
The conversation at Stanford tomorrow complements one that has been going on in Washington and will be continued in our nation’s capital in the months ahead. We look forward to contributing to an ongoing policymaking process that brings government officials, industry, and other stakeholders together for an open and informed dialogue to understand and address the ever changing nature of cyber risks.