Last week’s White House cybersecurity summit was the Biden administration’s first formal public-private meeting on the subject of national security, drawing together executives from some of the biggest names in key industries. Tech, finance and energy leaders are being called upon to participate in what the administration calls a “core” strategic threat.
Present at the meeting were representatives from Apple, Amazon, Alphabet, Microsoft, JP Morgan Chase and Bank of America among other leading companies. A number of these announced public commitments at the summit, ranging from subsidized cyber security training programs for Americans to improved security features for existing cloud products.
Cybersecurity summit firms up future of public-private partnerships
The Biden administration used the cybersecurity summit as an opportunity to announce several new initiatives. Perhaps the most significant was that the National Institute of Standards and Technology (NIST) has been directed to develop a new framework for security of the technology supply chain. The Secretary of Homeland Security and Secretary of Commerce were directed in late July to develop and issue cybersecurity performance goals for critical infrastructure to be used as baseline security practices, which are to be incorporated into future NIST guidance. At present, this new framework is being developed as a guideline for both public and private organizations to assess their security posture; companies that pledged to participate include IBM, Google, Microsoft, Travelers Insurance, and cyber risk assessment firm Coalition.
The Industrial Control Systems Cybersecurity Initiative, already in place for the country’s electric utilities, is also being expanded to include natural gas pipelines. The initiative sets new security and reporting standards for the industries it covers, and the administration had previously announced a five-year plan to gradually expand it to a wide range of industries that potentially impact national security. The administration also announced that it plans to cover the water & wastewater and chemical sectors by the end of 2021.
A number of private companies that participated in the cybersecurity summit also took the opportunity to announce programs of active participation, many of them committing to large-scale training programs with a national security focus. Apple will be developing a security program for its estimated 9,000 contractors throughout the United States, Google announced a five-year plan to invest $10 billion in zero-trust programs and in training 100,000 Americans up to receive relevant digital skills certificates, and IBM announced similar training for 150,000 with a special focus on setting up Cybersecurity Leadership Centers at the nation’s Historically Black Colleges & Universities. Other companies making sizable investments in both public and employee training include Microsoft, Amazon, Code.org and the University of Texas System.
Some other companies also offered free products or free enhancements to existing products. Amazon pledged to provide all Amazon Web Services customers with multi-factor authentication devices at no cost, and Coalition is making its cybersecurity risk assessment & continuous monitoring platform available for free to all interested organizations.
Roger Grimes, data driven defense evangelist at KnowBe4, was left feeling optimistic after seeing the outcome of the first real national security meeting of this nature: “Look, I’ve been at this…cybersecurity…for over 34-years. It seems never to get better. Each year is worse than the last. This year for the first time I feel hopeful. I’m not sure if we are going to be better prepared next year than now, but for the first time I think there’s a decent chance that we’ve started to turn the corner. And I don’t say that lightly. It’s been decades of disappointment. But I think ransomware and some of the other social engineering attacks, like multi-million dollar business email compromise (BEC) scams were the tipping point events we needed to finally get the all-hands approach we needed.”
David Gerry, Chief Revenue Officer at NTT Application Security, agrees: “This summit, and resulting commitments and initiatives, mark a positive step in raising awareness of the national cybersecurity attacks proliferating our nation’s private sectors. The summit allows for ideas, best practices, as well as transparency to be shared between technology vendors and government organizations. It’s great to see leaders within the financial and utilities sectors specifically, which have been hit hard this past year, come together to create actionable plans around proactive security strategies.”
Private companies in sensitive industries drafted into defense of national security
The administration has pointed out that not only is it necessary for private industry (which has direct control and oversight over a great deal of critical infrastructure) to play an active national security role, but that it is also facing an immense labor shortage. At the outset of the cybersecurity summit, the president told reporters that about half a million cybersecurity jobs in the US are currently sitting unfilled.
Representatives from each of the companies that attended spoke at the cybersecurity summit, and nearly all expressed that attacks were happening daily and that ransomware was becoming a particular problem for nearly every industry. Emily Harding, a senior fellow at the Center for Strategic and International Studies, told the Washington Post that the cybersecurity summit was more about coordinating messaging than about crafting concrete national security policy. The attendees formed breakout groups that discussed potential joint courses of action, and agreed to reconvene in a month to further firm up courses of action.
The insurance industry has also been included in these discussions, and at least one participant (Resilience) has said that it plans to adopt a set of best practices that policyholders will be asked to adhere to as a condition of their policies. Though this element may not receive as much press coverage, Jason Rebholz (CISO at Corvus Insurance) sees it as perhaps the most productive element of this initial meeting: “It’s a promising sign that insurance was brought to the forefront of the latest White House discussions with private sector leaders about how we can improve our nation’s cybersecurity … Insurance carriers are an essential component in driving the adoption of security controls and technologies across every industry. By incentivizing organizations, insurance carriers can not only create the new standards of security but also help enforce consistency – something that is difficult to do in an ad hoc manner. Insurance carriers become an ally and force multiplier for organizations of every size by delivering access to more affordable security solutions that don’t compromise on quality. Organizations that partner closely with their cyber insurance carrier will, by and large, be better equipped to protect themselves against the emerging cyber threat landscape.”
The subject of mandates for private industry was not broached during the cybersecurity summit, but press secretary Jen Psaki fielded a question about it from reporters afterward. Psaki appeared to turn that responsibility over to Congress, saying that the administration would review any proposals for national security purposes that cleared the legislative process. The cybersecurity summit also seemed to steer clear of discussing punitive measures or attempts to “hack back” when rival nations are harboring attackers that threaten national security.