White House Unveils Supply Chain, New Security InitiativesMicrosoft, Google Pledge Billions in Cybersecurity Spending Over Several Years
The Biden administration unveiled a new package of supply chain and critical infrastructure security initiatives Wednesday following a meeting at the White House with about 25 tech, banking, insurance and infrastructure executives.
The initiatives feature a pledge by several companies, including tech giants Microsoft, Google and IBM and insurers Travelers and Coalition, and the U.S. National Institute of Standards and Technology, to create a framework to build more security into the nation's technology supply chain to help ensure its integrity, according to a fact sheet released by the White House.
The Biden administration also plans to expand its Industrial Control Systems Cybersecurity Initiative - a collaborative effort involving the federal government and companies that oversee U.S. critical infrastructure first unveiled in July for the nation's electrical utilities - to the oil and gas industry to help better secure the nation's network of interstate pipelines.
The White House also received pledges from several tech firms to spend billions of dollars on cybersecurity over the next several years. This includes Microsoft investing $20 billion over five years to integrate cybersecurity by design and deliver advanced security solutions, as well as Google promising to invest $10 billion over five years to expand "zero trust" programs, help secure the software supply chain and enhance open source security, according to the fact sheet.
Before Wednesday's meeting, President Joe Biden touted some of his administration's cybersecurity initiatives, including the executive order signed in May that will fundamentally change how federal agencies approach security as well as how departments buy and rate the software they use. But Biden noted that much of the responsibility to secure the nation's critical infrastructure and supply chain falls to the private sector.
"The reality is, most of our critical infrastructure is owned and operated by the private sector, and the federal government can't meet this challenge alone," Biden said. "So I've invited you all here today because you have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity."
Sam Curry, the chief security officer with Cybereason, notes that following a series of cyber incidents, including the supply chain attack against SolarWinds and a series of ransomware attacks starting earlier this year, now is the time for both companies and government agencies to invest more in their security defenses.
"If we have learned anything since the SolarWinds breach opened the floodgates, the public and private sectors need to invest now to ratchet up prevention and detection and improve resilience," Curry says.
Wednesday's meeting at the White House included discussions among several top administration officials and the leaders of several U.S. companies, including Microsoft, Apple, Google, IBM, Amazon, JPMorgan Chase, Bank of America, Travelers Resilience, American Water, ConocoPhillips, Duke Energy and PG&E among others (see: White House Tech Meeting: Focus on Critical Infrastructure ).
Before the meeting, a senior administration official noted that it's impossible to address cybersecurity from a government standpoint alone. "We're sincere when we say cybersecurity is a matter of national security and the government and public sectors must meet this moment together," said the official, who spoke on the condition of anonymity.
While the executives met with Biden for about an hour Wednesday, they also met in smaller groups to discuss three issues: critical infrastructure, risk assessment and cybersecurity education and training.
While Congress is working on several bills that would require companies to report cyber incidents and would create new regulations, White House officials signaled that they want companies to adopt voluntary standards first to improve their security.
"Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices, and the private sector to take steps to harden their own cybersecurity," said White House Press Secretary Jen Psaki on Wednesday.
Phil Reitinger, the president and CEO of the Global Cyber Alliance, notes that while these meetings seldom produce significant results, if the White House can convince companies to adopt better security standards without a specific mandate - it's a step forward.
"If this is a start to build private sector buy-in to setting standards and near-mandatory implementation of effective requirements for critical infrastructure cybersecurity, I'll dance a jig," says Reitinger.
The bulk of Wednesday's initiatives focused on shoring up the nation's supply chains, including the agreement between NIST, the tech companies and insurance firms.
And while the participants did not release specifics, the White House notes this initiative will "serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software."
The White House also received a separate pledge from Apple that it would work with its global suppliers, including 9,000 firms in the U.S., to improve security along the iPhone maker's supply chain, which will include mass adoption of multifactor authentication, security training, vulnerability remediation, event logging and incident response.
Jake Williams, a former member of the U.S. National Security Agency's elite hacking team, says the Apple commitment is particularly intriguing, but he wants to see the company commit to improving security within its software, especially iOS, which has been targeted by several zero-day attacks (see: Spyware Zero-Day Hits Show Apple Ecosystem's Imperfections).
"While it is very encouraging that Apple is focusing on ensuring supply chain security, their iOS operating system continues to be a black box for defenders," says Williams, who is now co-founder and CTO at BreachQuest. "This prevents relatively easy detection of exploitation of these devices, as was observed recently with NSO Group. Zero-day exploits in iOS will remain an outsized threat until network defenders can gain visibility into operations on these devices."
Besides commitments from tech firms, two of the insurance companies represented at the meeting offered their own commitments. This includes Resilience announcing that it will require policyholders to meet a threshold of cybersecurity best practices as a condition of receiving coverage, according to the White House.
Coalition, another cyber insurance provider, announced that it will make its cybersecurity risk assessment and continuous monitoring platform available for free to any organization.
Jack Kudale, founder and CEO of Cowbell Cyber, a Pleasanton, California-based cyber insurance provider, says that these types of changes in the cyber insurance industry will make a significant difference for small and mid-sized firms that struggle to afford coverage (see: Cyber Insurance: Higher Premiums, Limited Coverage).
"Initiatives to close insurability gaps, and to make cyber insurance accessible to all, will contribute the most in making the supply chains that are critical in the global economy more resilient to cyber threats," Kudale says. "This includes standardization of coverage, flexibility and customization of policies as well as simplification of insurance applications."
The Biden administration also made several announcements about cybersecurity jobs, hiring and training. Besides the commitments from Google and Microsoft, other initiatives include:
- IBM pledging it will train 150,000 people in cybersecurity over the next three years; the company will partner with more than 20 historically Black colleges and universities with leadership programs.
- Amazon announcing it will make available to the public at no charge the security awareness training it offers its employees. It will also offer MFA devices to users of Amazon Web Services.
- Code.org pledging that it will teach cybersecurity concepts to over 3 million students across 35,000 classrooms during the next three years.
"Amazon’s offer of free cybersecurity awareness training is a game-changer, particularly for small to mid-sized businesses. Security awareness training can have substantial impacts in preventing breaches," Williams says.