At a glance.
- Government-industry partnership and the White House cybersecurity summit.
- State and local regulators move where US Federal regulators have not.
- US approves some chip sales to Huawei.
Notes on yesterday’s White House cybersecurity summit.
The Biden Administration’s summit yesterday with tech, insurance, utilities, and education leaders, where IBM CEO Arvind Krishna called cybersecurity “the issue of the decade,” produced the following commitments, according to CNBC and GeekWire:
- From Apple, a supply chain security initiative centered on vendor training and implementation of multifactor authentication (MFA)
- From Google, a five-year, $10 billion cybersecurity investment and a promise to educate 100 thousand citizens for cyber careers
- From Microsoft, a five-year, $20 billion cybersecurity investment in addition to a $150 million boost to Government systems
- From IBM, a three-year pledge to teach 150 thousand individuals tech skills, along with the unveiling of a new storage product and plans for nextgen encryption
- From Amazon Web Services, gratis MFA gear for clients and a cybersecurity program for the public
- From insurance firm TIAA, continued investment in workforce development, including through subsidized employee graduate degrees
- From Code.org, a three-year promise to educate 2 million K-12 students and target 1 million more with a “How Not to Get Hacked” production
Insurance company Coalition underscored the industry’s privileged insight into the vulnerability landscape, saying, “There is no industry in the world with more data on managing cyber risk and no industry better positioned to incentivize the controls that reduce the likelihood or success of a cyber attack.” Coalition extended free entrée to its risk mitigation platform and offered to share claims data with interested parties.
Insurance provider Resilience followed suit, according to the Washington Post, with a commitment to set new cybersecurity baselines for customers.
Fortune emphasizes the workforce development angle of the gathering, remarking on the nation’s roughly 500 thousand unfilled cyber jobs across critical industries like health and manufacturing.
The Post described the meeting as “unusually public and ambitious,” marking President Biden’s admonishment that industry has “the power, capacity, and responsibility…to raise the bar on cybersecurity.” The Government announced plans to partner with Google, Microsoft, Coalition, and insurance provider Travelers on drafting security standards. Center for Strategic and International Studies fellow Emily Harding predicts more substantial regulatory moves down the line, noting, “Summits like this are messaging opportunities more than policymaking opportunities.”
After touting additional commitments like its participation in the National Institute of Standards and Technology’s supply chain security initiative and $100 million pledge to open source security organizations, Google offered some feedback of its own for Washington. “[G]overnments” should mind their legacy technology and contracts, the tech giant said, which “limit competition and choice, inflate costs, and create privacy and security risks.” The White House should also consider extending its zero-trust efforts to “production environments” in light of events like Holiday Bear’s romp. “We look forward to working with the Administration and others to define and drive a new era in cybersecurity,” Google concluded.
The Wall Street Journal characterizes President Biden’s national security priorities in the new era as cybersecurity, Russian hostility, and Chinese rivalry. Steven Aiello, security and compliance practice director at AHEAD, commented on the direction the summit seems to have set. But he thinks that there will have to be some serious work on resources, human and otherwise, before the US makes progress:
“The additional steps being taken by the U.S. government in response to the increased ransomware attacks are without a doubt a step in the right direction. However, the initiatives cannot be fully executed without a broader attention put on individual organizations to expand cybersecurity resources and personnel.
“Private sector organizations don’t have comprehensive cybersecurity teams in place to make solid use of threat intelligence. At AHEAD, we see a lot of customers lack super robust security teams due to talent shortages. The cybersecurity space in particular is experiencing a negative unemployment rate right now, and the truth is, there’s no ‘one size fits all’ solution for security at organizations – it has to be treated as a process, not a product. So while it’s important to remove barriers and share threat intelligence where possible, I truly believe there isn’t enough talent to effectively act on the information.
“I’m in favor of the majority of the Biden administration’s cybersecurity executive order, but we won’t see optimal success unless there are moves made to address the hiring challenges. The new website, stopransomware.gov, for example, could actually do more harm than good if organizations aren’t equipped with guidelines for answering questionnaires with secure information. There’s also a chance the website further reveals the knowledge gap at organizations based on the questions asked. One way to address the talent crisis and return the industry to a healthy ecosystem would be to add a scholarship program to the list of new initiatives. This would get people involved in a field that lacks professionals, fulfill a dire need and help from a jobs perspective.
“Ultimately, we have the right idea, but there’s a lot more that needs to happen behind the scenes before we begin to see real strides toward addressing the ransomware problem for good.”
Such high-level meetings, of course, don’t stand alone, and typically represent only a very small fraction of the work, most of which is done in the background. Tim Erlin, VP of strategy at Tripwire commented:
“This kind of high-profile meeting is the tip of the iceberg for a larger effort to change the cybersecurity landscape. It’s clear that the Biden administration wants to shift both the perception and the reality that the United States’ role in cybersecurity is that of the victim.
“Given the makeup of the economy and the country, the government is limited in what changes it can make. Cybersecurity legislation is a heavy tool, but regulation may be necessary to force companies to step up.
“There’s a focus on critical infrastructure, but those organizations buy their technology from commercial suppliers. Securing critical infrastructure requires improvements in the security of those suppliers and their products. It’s an interconnected problem.”
Roger Grimes, data driven defense evangelist at KnowBe4, agrees with the President’s statement about the pervasiveness of the digital world:
“President Biden is right. It’s hard to find a…