Biden’s Cyber Summit Sends Clear Message: We Must Work Together

In withdrawing from Afghanistan, President Biden made it clear there were issues of national security that his administration regarded as taking priority over a continued military presence in that country. Included in the President’s list of priorities was cybersecurity. Data breaches and cyberattacks are increasingly disrupting the lives of ordinary Americans and threatening our critical infrastructure.

In late August, Biden met with leaders from key business sectors at the White House to discuss this “core national security challenge.”

Biden’s Cybersecurity Initiatives to Date

In May, in response to a spate of cyberattacks that heightened tensions with U.S. adversaries like Russia, the President issued an executive order to strengthen federal IT security. The order establishes baseline security standards for software used by the government, compels the government to use secure cloud services and zero-trust IT architecture, and creates a cybersecurity safety review board and standard playbook for the government to respond to cyberattacks.

A month earlier in April, as part of the administration’s effort to safeguard critical infrastructure, the US Department of Energy (DOE) launched a 100-day plan to improve electric utilities’ cybersecurity. In partnership with electric utilities and the Cybersecurity and Infrastructure Security Agency (CISA), the DOE plan called for the advancement of systems to provide visibility, detection, and response capabilities for utilities’ industrial control systems (ICS).

In August’s cybersecurity summit, it was announced that this initiative had already improved the cybersecurity of more than 150 electric utilities serving 90 million citizens, and that it will be expanded to natural gas pipelines.

On July 28, the President signed a new National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. As a result, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) will work together to develop voluntary performance goals for the adoption of effective cybersecurity practices and controls by owners and operators of critical infrastructure.

Internationally, the US is rallying G7 countries to hold host nations of cybercriminals accountable and to update NATO policy to reflect cybersecurity’s current threat level more accurately.

A Call to Action for the Private Sector

With anything from cell phones to elevators to power grids providing points of entry to hackers, the administration is confronting a problem of staggering proportions. Moreover, because the problem affects several areas of the economy that the White House cannot regulate directly, a “whole-of-nation effort” is required to address America’s cybersecurity threats.

August’s cybersecurity summit was effectively a call to action for America’s private sector — not just the representatives of Silicon Valley, but those from the financial sector, education, utilities, infrastructure, and others.

Commitments and Initiatives

At the August summit, CEOs from the largest tech companies sat with President Biden for an hour, followed by three breakout sessions focused on risk assessment, critical infrastructure, and cybersecurity education. The sessions garnered a generally positive response from the industry, with several organizations committing to work with the government and drive their own initiatives. Some of the more significant outcomes include:

· Apple will enhance the cybersecurity of its supply chain by getting its suppliers to use multi-factor authentication and to improve event logging and incident response.

· Google committed $10 billion to cybersecurity initiatives, expanding zero-trust programs, securing the software supply chain, and enhancing open-source security.

· IBM will make its secure backup service already being used by critical infrastructure operators more widely available.

· Microsoft committed $20 billion for cybersecurity initiatives for the next five years and a further $150 million in technical services to upgrade federal, state, and local governments’ cybersecurity.

· Amazon’s cloud computing division will give American customers who spend $100 a month or more on Amazon Web Services free multi-factor authentication devices. Amazon also committed to making its employee security awareness training available to the public for free.

· Resilience, a cyber insurance provider, says it will require clients to adhere to minimum cybersecurity standards to receive coverage. Another such provider, Coalition, will make its cyber risk assessment platform available to any organization.

· Microsoft, Google, IBM, Travelers, and Coalition committed to participating in an NIST-led initiative to develop a new supply chain security framework to guide organizations in building and assessing secure technology, including open-source software.

Half a Million Cybersecurity Posts Unfilled

The Biden administration estimates there are half a million vacancies in the cybersecurity industry and has identified this shortfall of qualified personnel as a critical risk. Attendees at August’s summit made specific commitments in this regard, which included:

· A commitment from Google, IBM, and others to train cybersecurity experts to fill these positions. IBM’s commitment includes partnering with Historically Black Colleges & Universities (HBCUs) to promote a more diverse cyber workforce.

· A commitment from Code.org to teach cybersecurity concepts to 3 million diverse students in three years and to encourage cybersecurity as a potential career.

· Girls Who Code will establish a micro-credentialing program (including scholarships and early career opportunities) for historically excluded groups in the tech industry.

· The University of Texas System will upskill and reskill over 1 million diverse workers via entry-level cyber educational programs that do not depend on traditional degrees.

· Whatcom Community College, the new NSF Advanced Technological Education National Cybersecurity Center, will provide training to community college faculty and help community colleges develop programs to “fast-track” students from college to career.

The summit was long overdue, in the opinion of many technology experts. And it delivered an important message: with the diversity of threats our country faces, the government and the private sector must work closely together to develop standards and procedures for robust cybersecurity.