Tech companies pledge to help toughen US cybersecurity in White House meeting
Apple, Google, Microsoft and others will fund new technologies and training as part of the nation’s struggle to combat cyberattacks.
Following the Biden administration’s efforts to beef up the nation’s cyber defenses in the wake of several high-profile attacks, a host of tech giants and other businesses are promising to play a more active role. In a meeting with President Biden at the White House on Wednesday, Apple, Google, Microsoft and other companies announced their intentions to devote money and training toward strengthening U.S. cybersecurity.
SEE: Incident response policy (TechRepublic Premium)
As one step, the White House said that the National Institute of Standards and Technology (NIST) will work with businesses to improve the security of the technology supply chain. This initiative comes in response to such recent incidents as the SolarWinds breach, the Kaseya ransomware attack, and the Microsoft Exchange hack, all of which had a ripple effect that impacted customers and companies along the supply chain.
The goal of the NIST plan is to teach public and private organizations how to create more secure technology, including the use of open source software. Microsoft, Google and IBM will join this initiative along with insurance companies Travelers and Coalition.
As another step, the Biden administration announced the expansion of the Industrial Control Systems (ICS) Cybersecurity Initiative to a second major sector, namely natural gas pipelines. Formally established as part of a cybersecurity memorandum issued on July 28, this ICS initiative is a voluntary effort between the federal government and critical infrastructure utilities to set up systems that will warn affected parties of potential cyberthreats.
The initiative has already improved the cybersecurity of more than 150 electric utilities that serve 90 million Americans, according to the White House. This step comes in the wake of the May ransomware attack against Colonial Pipeline, an incident that forced the pipeline company to temporarily shut down operations, affecting its ability to deliver gas and oil to certain parts of the East Coast.
In the meeting, several companies unveiled their own specific initiatives involving technology and training. Apple said it would kick start a new program to improve security throughout the technology supply chain. Specifically, the company will work with its more than 9,000 suppliers in the U.S. to push mass adoption of multifactor authentication, security training, vulnerability remediation, event logging and incident response.
Google said it would invest $10 billion over the next five years to expand zero-trust technology, better secure the software supply chain, and enhance security for open source technologies. The search giant announced that it will also help 100,000 Americans get industry-recognized digital skills certificates in their effort to obtain high-growth jobs.
IBM announced that it would train 150,000 people in cybersecurity skills over the next three years and team up with 20 Historically Black Colleges and Universities to set up Cybersecurity Leadership Centers.
Microsoft revealed an investment of $20 billion over the next five years to push efforts to integrate security by design in technology products. The company also said it would immediately devote $150 million to help federal, state and local governments upgrade their security defenses and would partner with community colleges and nonprofit organizations on cybersecurity training.
Amazon said it would offer the same security awareness training to the public that it already offers to its own employees. The company added that it would provide all Amazon Web Services customers with a multifactor authentication device at no additional cost.
“Amazon’s offer of free cybersecurity awareness training is a game changer, particularly for small to mid-sized businesses,” said Jake Williams, co-founder and CTO at cybersecurity firm BreachQuest. “Amazon’s training will put a quality product within reach for organizations that wouldn’t have it otherwise, likely preventing thousands of breaches every year. If there’s one thing in the announcement that will give threat actors the biggest headache, this is it.”
Cyber insurance providers also plan to do their part to push security among its customers. Resilience said it would require policy holders to meet a certain level of cybersecurity best practices before receiving insurance coverage. Coalition announced that it would freely offer its cybersecurity risk assessment and continuous monitoring platform to any organization.
“I’m especially excited to see that Resilience is requiring minimum cybersecurity standards as a condition of coverage,” Williams said. “Many organizations view cyber insurance as an alternative to implementing security controls rather than as a complement to those controls.”
Finally, a few organizations involved in education and training announced efforts to help more people learn security skills. Code.org will teach security concepts across 35,000 classrooms over the next three years. Girls Who Code will set up a credential program for historically excluded groups in technology. The University of Texas System will expand its credentials in cyber-related fields. And Whatcom Community College will provide security training to faculty and help students better move from college to a career in cybersecurity.
A White House meeting that induces major technology companies and other businesses to help beef up the nation’s cybersecurity is certainly a promising development. But what further steps might be required to truly protect the country from devastating cyberattacks?
“If we want to see real progress when it comes to cybersecurity, the SEC must make it a requirement–not an incentive–for companies to report their security practices,” Kevin Bocek, VP of security strategy & threat intelligence at security provider Venafi. “Cybersecurity is just as important as revenue growth and it’s now relevant for all companies… To keep up with this reality, security needs to become a CEO-level responsibility–something that their performance and compensation are based on. And only once the SEC takes a stance along these lines will CEOs and boards of directors get on board.”