On Wednesday, President Joe Biden hosted executives from major technology, financial and energy companies for a summit on national cybersecurity, saying that the issue was “the core national security challenge we are facing.” At the start of the meeting, whilst talking to reporters in attendance, President Biden estimated that approximately 500,000 US cybersecurity jobs are available, putting emphasis on the fact that the private sector needed to be doing more to safeguard digital systems from cyber criminals, state-backed hackers and spies. “The federal government can’t meet this challenge alone,” Biden said. “I’ve invited you all here because you have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity.”
Commenting on this, Jason Schmitt, general manager at the Synopsys Software Integrity Group, said “It is encouraging to see government recognition of the pivotal role that software plays in the security of our critical infrastructure. Highlighting the grave security risk from insecure software – no matter the source – is a major step toward broader industry dedicated resources to properly understanding how trustworthy software is in their organisations. The current emphasis on software bill of materials and supply chain integrity, combined with a comprehensive understanding of security vulnerabilities in all sources of software – custom, proprietary, open source and malicious – provides a meaningful evolution of the state of software security today.”
Sam Curry, chief security officer at Cybereason, added “After months of escalating cyberattacks engineered by nation state sponsored groups against public and private sector companies, critical infrastructure providers and organisations distributing COVID-19 vaccines, Wednesday’s cybersecurity focused meeting at the White House is long overdue.
The 24 CEOs from leading tech companies, banks, insurers, critical infrastructure providers and educational institutions with a seat at the table with President Biden for one hour don’t need a reminder that anyone and everyone will be hit as their companies face a daily barrage of cyberattacks. Interestingly, Wednesday’s meeting included a one-hour meeting with the President followed by three breakout sessions focused on risk assessment, critical infrastructure and cybersecurity education/training.
If we have learned anything since the SolarWinds breach opened the floodgates, the public and private sector needs to invest now to ratchet up prevention and detection and improve resilience. We can meet fire with fire. Sure, the threat actors will get in, but so what. We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can, in short, make material breaches a thing of the past. So, what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses.
My memo for President Biden with suggestions on curbing the onslaught of cyber threats, includes:
- Working the international relations front. That means ambassadors engaging, treaties updated for extradition, use the tools of the government for goodwill here and treat them as we would a drug czar or terrorist grandee. If the UN could get together to ban travel to Iraq and Syria because of ISIS in 2015, go do something like that now.
- Authorize the DoD and Cyber Command to engage with clear rules of engagement in offensive operations. Develop these in partnership with the industry and make it clear there’s a cost to hacking U.S. targets as bad or worse than other crimes against U.S. persons and entities.
- Sponsor a bi-partisan bill to update the penalties associated with cybercrime of all sorts.
- Task DARPA (and other government innovation centers) with stimulating innovation in new technologies specifically around supply chain risk upstream, new methods of prevention, new methods of detection, etc.
- Take a leadership role in public/private/academic collaboration and task them with developing new strategies, new standards, new ways of collaborating, etc.”
Demi Ben-Ari, co-founder and chief technology officer at Panorays, postulated “President Biden’s meeting with CEOs of major companies at the White House delivers an important message: The government and the private sector must work closely together to create accepted standards and procedures to ensure robust cybersecurity. Ultimately, however, that responsibility does not rest merely with the government and leaders of large corporations. To effectively combat cyber threats, all companies in every industry and of every size must implement effective processes to ensure that they—as well as their supply chain partners—have a strong cyber posture. These processes include a combination of comprehensive attack surface assessments and automated security questionnaires, as well as continuous monitoring to alert of any cyber threats”
Tim Erlin, VP of strategy at Tripwire, added “This kind of high-profile meeting is the tip of the iceberg for a larger effort to change the cybersecurity landscape. It’s clear that the Biden administration wants to shift both the perception and the reality that the United States’ role in cybersecurity is that of the victim. Given the makeup of the economy and the country, the government is limited in what changes it can make. Cybersecurity legislation is a heavy tool, but regulation may be necessary to force companies to step up. There’s a focus on critical infrastructure, but those organisations buy their technology from commercial suppliers. Securing critical infrastructure requires improvements in the security of those suppliers and their products. It’s an interconnected problem.
Roger Grimes, data driven defence evangelist at KnowBe4, concluded “President Biden is right. It’s hard to find a real world situation not heavily managed and directed using digital means, which means it’s subject to digital attacks. We have ransomware attacks taking out oil pipelines, food plants, hospitals, and entire cities…routinely. Biden’s recent executive order was probably the best EO out of all the recent Presidents who have issued EO’s on the subject. Of course, the single thing that would have the most and best impact, mandates, seems like it’s never going to come. I understand why the White House can’t mandate cybersecurity standards…that’s the reality of how our government works…it’s largely directed by businesses and voters…and American businesses and voters have repeatedly shown that they don’t love mandates. So, if you leave out the huge elephant in the room…that voluntary compliance is likely never going to work or at least not work nearly as well, then the ideas and recommendations in Biden’s recent EO is the best I’ve seen. And it replaces mandates with the buying power of the US government and that’s a big, important thing. And it includes many things, such as the promotion of clouds and zero trust architectures, that the previous EOs didn’t even mention.
So, it’s a huge improvement over the past ones. I also, think Biden and his administration are trying to figure out how to make more countries accountable for fighting cybercriminals instead of being cybercriminal safe havens. On top of that, the real secret weapon crown jewel is Jen Easterly as Director of the Cybersecurity Infrastructure Security Agency (CISA). She is experienced and sharp as they come. She truly gets what it’s going to take to improve national and global cybersecurity, and that means our nation is going to be better prepared as her changes start to take effect. Part of that is her recognition that we have a huge cybersecurity labor shortage. And she’s implementing multiple programs recently to start tackling that issue as well. It’s an all-hands on-board approach. Look, I’ve been at this…cybersecurity…for over 34-years. It seems never to get better. Each year is worse than the last. This year for the first time I feel hopefully. I’m not sure if we are going to be better prepared next year than now, but for the first time I think there’s a decent chance that we’ve started to turn the corner. And I don’t say that lightly. It’s been decades of disappointment. But I think ransomware and some of the other social engineering attacks, like multi-million dollar business email compromise (BEC) scams were the tipping point events we needed to finally get the all-hands approach we needed.”