President Joe Biden met with tech, financial services, energy and utilities, and insurance CEOs on Wednesday, including the heads of Apple, Google, Amazon and Microsoft, raising concerns about cybersecurity gaps in the private sector. There's also a growing concern that the skilled cybersecurity workforce in the U.S. is insufficiently growing to meet demand.
Biden issued a cybersecurity executive order in May calling on the private sector to improve information sharing, set higher software security standards and break down silos between the public and private sectors.
The order prevents the U.S. government from buying technologies that don't meet certain security standards, which Biden expects to "have a ripple effect across the software industry," he said during the summit.
But private industry serves itself first, despite owning the majority of critical infrastructure in the U.S. The Biden administration has to strike a balance between honoring big tech's capitalism while pushing it to a higher standard for the sake of national security.
"The tech industry, while wanting to be vigilant on cybersecurity, are sensitive to profits and losses," Kevin Harris, associate professor and alternate Cyber Center Director at American Military University, said in an email to Cybersecurity Dive.
The meeting was scheduled in part due to high profile ransomware attacks this year, with ransomware attacks seeping in through weak VPNs or supply chain hacks. It's a surprisingly polarizing topic between legislators and industry.
"It is one of the areas where I have seen the greatest divergence between what would be a long-term public interest in what is in their short-term private interest. And there is a giant disconnect there," said Michael Daniel, CEO of Cyber Threat Alliance, during a webcast hosted by The Institute for Security and Technology (IST) Wednesday.
What tech leaders are pledging
Cybersecurity is an issue for every level of government and consumer-facing business, and tech leaders and educators in cybersecurity are exploring opportunities to improve the security posture in the U.S.
With almost 500,000 open cybersecurity jobs in the U.S., "the federal government can't meet this challenge alone," Biden said, during public remarks at the summit. The CEOs in attendance have "the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity."
The tech CEOs in attendance of Wednesday's summit committed to several cybersecurity investments, including:
- Microsoft is investing $20 billion over the next five years to integrate "cybersecurity by design" into its goods and services. The company will also immediately "make available $150 million in technical services" to support federal, state and local governments in modernizing their cybersecurity protection, according to the White House fact sheet.
- Google pledged a $10 billion investment over the next five years, in part to expand zero trust and improve open source security. Google also committed to training 100,000 Americans in areas including IT support or data privacy.
- Starting in October, Amazon will provide qualified AWS customers a free multifactor authentication device and share its internal security training with the public, the company announced.
- IBM will train more than 150,000 people in cybersecurity over the course of three years, IBM CEO Arvind Krishna wrote in a LinkedIn post. The company will also partner with more than 20 Historically Black Colleges and Universities to create cybersecurity leadership centers. In an attempt to hasten recovery in critical infrastructure, IBM announced Safeguarded Copy, a storage solution that promises to reduce recovery time "from days to hours," Krishna said
- Apple will work with its suppliers to push the adoption of multifactor authentication, event logging and vulnerability remediation as part of program to improve security in the technology supply chain.
Big tech's roll out of cybersecurity commitments are in conjunction with other Biden priorities. The 100-day electric grid cybersecurity push was announced in April, and Wednesday's summit included CEOs from Duke Energy, PG&E, and Southern Company.
The April initiative pushed 150 utilities to commit to deploying security standards, according to Biden. But aggressive timelines for compliance, most recently set by the Transportation Security Administration for pipeline operators, are worrying the industry.
"Current cybersecurity frameworks are often built with large corporations and critical infrastructure in mind," said Harris. "However, they do not focus on where a large portion of systems are located," which tends to be the small- to medium-sized businesses in between. Frameworks are often less accommodating to the players sitting in between industry behemoths.
The administration is short of concrete cybersecurity policies, as is Congress. In Wednesday's press briefing, Press Secretary Jen Psaki told reporters the administration expects the private sector to report incidents to the government, but Congress has "a range of options that could be taken."
"Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices, and the private sector to take steps to harden their own cybersecurity," Psaki said.
With ransomware attacks worsening in frequency and economic impact, companies will look to the federal government for more guidance and protection, though. In ransomware attacks, companies might seek relief in the form of tax breaks, caps on lawsuits or requirements via legislation.
Policymakers are the only people who will address the ransomware problem in the long term, and beyond the perspective of one company, said Josephine Wolff, associate professor of cybersecurity policy at Fletcher School at Tufts University, speaking during the IST webcast. "The only movements that I've seen from the policy side have been after a really devastating attack, like Colonial Pipeline, and all of a sudden there's another 'Gosh, this is a big deal,'" and the government reacts with pipeline-related requirements, said Wolff.
"To me, that suggests that we're not actually moving towards getting the pieces in place," and instead, the government and industry remains reactive, she said.