A senior administration official told reporters Tuesday that "continuing to rely on simple usernames and passwords as the primary means to secure what we're doing in cyberspace is not all that effective." The remarks came a day after the Twitter and YouTube accounts of the U.S. Central Command (CENTCOM) were hacked and used to post ISIS propaganda. The hacks happened as President Obama gave a speech on privacy at the Federal Trade Commission.
The senior administration official's remarks were part of a push by the Obama administration to promote new cybsersecurity and privacy legislation. The president has given a pair of speeches on the topics in the past two days, and said today that cyber threats are "an urgent and growing danger."
"We need to look to upgrade to better security solutions like two-factor authentication," the senior administation official said. On Monday, the federal government launched an audit of its social media programs. The General Services Administration said in a statement that it had begun "widespread distribution of guidance for preparing for and responding to social media hacking, an instructional video on how to increase security with two-step verification."
A Pentagon spokesperson described the CENTCOM hack to reporters Monday as a "cyber prank." Two-factor authentication, where a user has to enter a second, one-time use password usually sent to their phone to log in, is widely considered a best practice by security experts.
"We're continuing to work with the DOD and FBI to conduct an investigation to determine what happened," the senior administration official said. "If we need to make changes based on what we learned from that we will; it's too early to render judgments on what needs or not needs to be changed."
The White House today said that the administration would support legislation to make it easier for companies to share cybersecurity information with the federal government and would give companies liability protection to share that data. The data shared, the senior administration official said, would mostly be indicators of a cyberattack.
"It's a fairly narrow set of technical information," the official said, "primarily IP addresses, routing information, and time and date stamps." The information would "primarily not be content" and could only be used by law enforcement to investigate cybercrimes, threats to minors, and threats of bodily harm.
"Obviously [the CENTCOM] incident continues to point to the need to increase cybersecurity across the board," the official said.