On August 25th, President Joe Biden hosted private sector leaders to discuss what he called a “core national security challenge”—cybersecurity.
The mini-summit produced an impressive list of commitments from key players in tech, financial services, insurance, and infrastructure, including leadership from Apple, Google, Amazon, JP Morgan Chase, Bank of America, Duke Energy, PG&E, and many others.
Details emerged of billions in private sector funding pledged toward deploying and advancing cybersecurity technology over the next five years. Significant investments were outlined for training up an IT and security-skilled workforce that can play tighter team defense against the kinds of cyberattacks that have plagued America’s public and private sector in recent months.
The turning point that led to this meeting
This all-hands-on-deck meeting at the White House hosted by the President—taking place amid the current serious situation in Afghanistan and the ongoing Covid-19 pandemic—underscores how cybersecurity has vaulted to the top of the administration’s agenda.
A series of recent high-profile incidents revealed the soft underbelly of our local government, commercial, and supply chain IT systems, prompting calls for more to be done to protect our critical infrastructure and markets we depend on everyday. For example, the havoc caused by the ransomware attack on the Colonial fuel pipeline forced the company to temporarily halt operations, spawning fuel shortages and higher gas prices in large regions of the country. Just weeks later, the world’s largest meat processor came under attack. These accounted for two of the more prominent attacks in 2021, but local municipalities have been under a sustained assault for years. Last year, at least 2,354 governments, health-care facilities, and schools suffered from ransomware attacks.
The President and his administration are urging the private sector to partner with the government and take more responsibility to shore up our country’s infrastructure, products, processes, and supply chains against all forms of cybersecurity threats. Prior to the White House meeting, a senior official said, “I want to emphasize that tomorrow is a call to action. The federal government can’t solve this complex, growing international challenge alone, and we can’t do it overnight.”
In opening remarks with private sector leaders, President Biden reinforced his position on how our private sector needs to do more to defend national cybersecurity.
“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone. I’ve invited you all here today because you have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity.”
Who was there, and what did they commit to?
Attendees included CEOs from top tech companies including Google, Apple, Microsoft, Amazon, IBM, and ADP. Key financial companies included JP Morgan Chase, Bank of America, and US Bancorp. Some of the nation’s top insurance, energy, and water utility companies attended, including American Water, ConocoPhillips, Duke Energy, PG&E, SJW Group, Southern Company, and Williams. Leaders from educational institutions also participated, joined by key members of the president’s Cabinet and National Security Advisors.
Following a keynote discussion between President Biden and the invited business and education executives, smaller breakout sessions were held. These sessions drilled down on comprehensive measures the private sector can champion to strengthen our nation’s cybersecurity:
- “Critical Infrastructure Resilience” with participants from energy, financial, and water industries.
- “Building Enduring Cybersecurity” with participants from tech and insurance industries.
- “Cybersecurity Workforce” with participants from education and other industries.
After the day’s work sessions concluded, many of the executives in attendance took to social media to signal their support of the meeting’s agenda, and announce their plans to help. Microsoft CEO Satya Nadella tweeted: “Thank you @POTUS for convening a critical conversation on cybersecurity. Microsoft will invest $20 billion to advance our security solutions over the next 5 years, $150 million to help US government agencies upgrade protections, and expand our cybersecurity training partnerships.”
Here are just a few of the highlights…read the full fact sheet here.
- Google will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.
- IBM will train 150,000 people in cybersecurity skills over the next three years
- Apple will establish a program to drive continuous security improvements throughout its technology supply chain, and press its suppliers to multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
- Amazon will share the security awareness training it offers its employees, at no charge, and will also let all Amazon Web Services account holders use a free multi-factor authentication device to protect against threats like phishing and password theft.
- Resilience will require policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.
- Coalition will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization.
- Code.org will teach cybersecurity concepts to over three million students across 35,000 classrooms over three years
- Girls Who Code will establish a micro credentialing program for historically excluded groups in technology.
- University of Texas System will expand offerings for short-term credentials in cyber-related fields to strengthen America’s cybersecurity workforce.
The Biden Administration also announced a major new initiative organized through the National Institute of Standards and Technology (NIST). NIST will “collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain. The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software.”
Last but not least, they announced the Industrial Control Systems Cybersecurity Initiative now includes our natural gas pipelines.
What to watch for next
Like previous administrations, cybersecurity is a priority for this one. But like so many real issues addressed with conviction on the campaign trail or op-ed pages, actions around cybersecurity defenses have been inconsistent and fallen short of what is needed. The reasons behind this—more urgent situations arise, bumping cybersecurity down the list; lack of funding; lack of understanding about the scope of the problem. In other words, the squeaky wheel gets the grease.
This summer and the months leading up to it have been extremely squeaky for cybersecurity. The media, security experts, government officials, and private interests have suddenly unified in their perception that this isn’t a future threat, it’s happening now…everyday. Officials in the Biden administration appear to be sensing their opportunity to activate the private sector to solve big parts of the overall problem, in ways that the government has less effective means to address. They prefer big business to design the overall project, with guidance from federal standards. The roster of meeting attendees included a who’s who of tech, infrastructure, and financial leadership. That powerful collaboration demonstrates our government’s intention to elevate cybersecurity as a national security pillar.
This is just the beginning. The hardest work is putting this plan into motion. There is much more to be discussed and planned out on this complex problem.
We will continue to see how this unfolds and observe whether they are doing what they said they would, asking the following questions:
- Will the pledged workforce and technology investments roll out as soon as advertised, and to the degree promised?
- Will other companies follow the lead of Google, Apple, Microsoft, IBM, Amazon, etc? How many U.S. companies have the requisite money and leadership to implement better cybersecurity technology and processes into their products, services, maintenance, and customer accounts?
- Will any of this impact the passage of the proposed cyber incident reporting mandates introduced recently in the Senate? And will the new NIST framework have any regulatory power, or just be a best practices and standards reference point?
- Will the next big data breach or cybersecurity hack add fuel to the flame to get more done, faster in this private/public sector partnership? Or will it lead to finger pointing and criticism that these announcements were all for lip service?
- When will the larger cybersecurity conversation become more nuanced and tactical, exploring the role of artificial intelligence and machine learning solutions for infrastructure and other industries? AI cybersecurity products represent a powerful new breed of cyberdefense, recognized to be among the most effective and comprehensive protection available today against malware, hackers, criminal organizations, and state-sponsored groups.
We can expect one thing with 100% confidence in the wake of the cybersecurity meeting. As long as there’s profit in it for the cyber criminals, more ransomware, viruses, malware, and data hacks will inflict further damage on U.S. private sector interests.
Groups like the ones that attacked Colonial Pipeline are sophisticated, patient, and opportunistic—looking for weak leaks in the chain of defense—and once they lock on their target they are relentlessly aggressive.
Fortunately, our DeepArmor® product is an equal match for such threat actors. DeepArmor can be deployed to address the complete IT infrastructure, including every class of critical asset and nearly every type of attack, including the vast majority of zero-day attacks frequently used in ransomware.
SparkCognition’s AI-powered DeepArmor solutions use adaptive cognitive modeling to recognize suspicious changes in files such as DLLs, executables, scripts, and documents. Snapping into action to shut down the breach—directly by coordinating processes with other security solutions, or indirectly by notifying security managers—this fundamentally superior design has translated, year after year, into SparkCognition’s industry-best results when tested against zero-day attacks such as those used in high-profile attacks like the Colonial Pipeline breach.
To drive this last point home, we concur with the same unnamed senior administration official who spoke about the message the White House wants to make loud and clear to private sector in the crosshairs of cybersecurity criminals everyday:
“You know, we’ve been talking with critical infrastructure, as you know, for quite some time around, ‘Look, folks, don’t be the next Colonial,” right?’ Put in place the visibility you need, particularly on your operational technology networks.“