Cataclysmic breaches and a woeful shortage of a trained cybersecurity workforce prompted the Biden Administration to haul a collection of the biggest names in business into a White House cybersecurity summit this week, to talk about what they plan to do about it. The outcome of the talks falls short of what’s needed, researchers say.
The short story is they’re going to throw a ton of cash at the problem. But for all the public posturing by prominent CEOs at tech giants, many security experts agree that the administration will ultimately need to mandate and enforce cybersecurity standards to make real progress.
Google, et al, Pledge Big Cybersecurity Investments
Google’s CEO Sundar Pichai committed $10 billion over the next five years to boost security and help train 100,000 Americans for cybersecurity jobs. IBM CEO Arvind Krishna meanwhile promised that his company will train 150,000 new cybersecurity pros over the next three years.
Amazon CEO Andy Jassy, Apple CEO Tim Cook, Microsoft CEO Satya Nadella and payroll services company ADT’s CEO, Carlos Rodriguez, were also in attendance and made recommendations and commitments of their own, along with leaders from insurance and banking firms, like JPMorgan Chase CEO Jamie Dimon.
“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said just before the cybersecurity summit started, according to the Washington Post. “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do.”
The US Tries to Shake Cyber-‘Victim’ Status
In just the past year, critical U.S. infrastructure has fallen victim to cyberattacks including the SolarWinds supply chain breach, the Colonial Pipeline ransomware attack, the breach of meat producer JBS Foods and more. This summit was intended to help turn the tide and put the U.S. in a more offensive cybersecurity posture, rather than haplessly reacting to the latest major breach.
If these companies can’t get their collective acts together, the Biden administration could turn to more heavy-handed legislation and regulation of tech industries, according to Tim Erlin, vice president of strategy at Tripwire.
“It’s clear that the Biden administration wants to shift both the perception and the reality that the United States’ role in cybersecurity is that of the victim,” Erlin said. “Given the makeup of the economy and the country, the government is limited in what changes it can make. Cybersecurity legislation is a heavy tool, but regulation may be necessary to force companies to step up.”
Erlin added that commercial suppliers also have a responsibility to put security first.
“Securing critical infrastructure requires improvements in the security of those suppliers and their products,” Erlin said. “It’s an interconnected problem.”
And one that the Biden Administration is calling on the U.S. tech industry to fix.
On May 12, President Biden issued a sweeping Executive Order intended to boost the nation’s cybersecurity which handed down requirements for private sector reporting of cybersecurity incidents to the federal government, plus a massive overhaul of federal cybersecurity as well as supply-chain security. It also established a Cyber Safety Review Board under the Department of Homeland Security to study cybersecurity incidents, among other measures.
“Biden’s recent executive order was probably the best EO out of all the recent Presidents who have issued EOs on the subject,” Roger Grimes from KnowBe4 said. “So, if you leave out the huge elephant in the room… that voluntary compliance is likely never going to work or at least not work nearly as well, then the ideas and recommendations in Biden’s recent EO is the best I’ve seen.”
Grimes likewise applauded the appointment of Jen Easterly as the director of the Cybersecurity Infrastructure Security Agency (CISA), who he called a “real secret weapon crown jewel.” He added that she is clear-eyed about the cybersecurity labor shortage and is taking steps to correct the problem.
Following the White House summit commitments regarding workforce training, Easterly just scored a big push from the private sector.
Additional Cybersecurity Recommendations
Cybereason’s chief security officer Sam Curry made a series of recommendations to the Biden White House, including using diplomatic channels to push back against state-sponsored attacks on U.S. interests.
“That means ambassadors engaging, treaties updated for extradition, use the tools of the government for goodwill here and treat them as we would a drug czar or terrorist grandee,” Curry said. “If the UN could get together to ban travel to Iraq and Syria because of ISIS in 2015, go do something like that now.”
Curry also recommended that the Department of Defense should send a clear message to the world that cyberattacks against American interests will come with a cost.
“Authorize the DoD and Cyber Command to engage with clear rules of engagement in offensive operations,” he said. “Develop these in partnership with the industry and make it clear there’s a cost to hacking U.S. targets as bad or worse than other crimes against U.S. persons and entities.
He also suggested new, bipartisan legislation to increase cybercrime penalties, a more active government role in innovation stimulation and developing a more collaborative approach to cybersecurity that includes government, private companies and academia.
The wholesale, very public acceptance by the Biden Administration that cybersecurity is a real threat to national security is encouraging, according to Sotero founder Purandar Das, but he suggested it needs to be followed up by enforcement.
“The intervention of the administration is a great step,” Das said. “Additional enforcement has to be the stick. Organizations ought to start thinking of information protection before profits. Assuming that data or information loss as a cost of doing business is probably the biggest block to achieving security goals.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.