At a glance.
- Government-industry partnership and the White House cybersecurity summit.
- State and local regulators move where US Federal regulators have not.
- US approves some chip sales to Huawei.
Notes on yesterday's White House cybersecurity summit.
The Biden Administration’s summit yesterday with tech, insurance, utilities, and education leaders, where IBM CEO Arvind Krishna called cybersecurity “the issue of the decade,” produced the following commitments, according to CNBC and GeekWire:
- From Apple, a supply chain security initiative centered on vendor training and implementation of multifactor authentication (MFA)
- From Google, a five-year, $10 billion cybersecurity investment and a promise to educate 100 thousand citizens for cyber careers
- From Microsoft, a five-year, $20 billion cybersecurity investment in addition to a $150 million boost to Government systems
- From IBM, a three-year pledge to teach 150 thousand individuals tech skills, along with the unveiling of a new storage product and plans for nextgen encryption
- From Amazon Web Services, gratis MFA gear for clients and a cybersecurity program for the public
- From insurance firm TIAA, continued investment in workforce development, including through subsidized employee graduate degrees
- From Code.org, a three-year promise to educate 2 million K-12 students and target 1 million more with a “How Not to Get Hacked” production
Insurance company Coalition underscored the industry’s privileged insight into the vulnerability landscape, saying, “There is no industry in the world with more data on managing cyber risk and no industry better positioned to incentivize the controls that reduce the likelihood or success of a cyber attack.” Coalition extended free entrée to its risk mitigation platform and offered to share claims data with interested parties.
Insurance provider Resilience followed suit, according to the Washington Post, with a commitment to set new cybersecurity baselines for customers.
Fortune emphasizes the workforce development angle of the gathering, remarking on the nation’s roughly 500 thousand unfilled cyber jobs across critical industries like health and manufacturing.
The Post described the meeting as “unusually public and ambitious,” marking President Biden’s admonishment that industry has “the power, capacity, and responsibility…to raise the bar on cybersecurity.” The Government announced plans to partner with Google, Microsoft, Coalition, and insurance provider Travelers on drafting security standards. Center for Strategic and International Studies fellow Emily Harding predicts more substantial regulatory moves down the line, noting, “Summits like this are messaging opportunities more than policymaking opportunities.”
After touting additional commitments like its participation in the National Institute of Standards and Technology’s supply chain security initiative and $100 million pledge to open source security organizations, Google offered some feedback of its own for Washington. “[G]overnments” should mind their legacy technology and contracts, the tech giant said, which “limit competition and choice, inflate costs, and create privacy and security risks.” The White House should also consider extending its zero-trust efforts to “production environments” in light of events like Holiday Bear’s romp. “We look forward to working with the Administration and others to define and drive a new era in cybersecurity,” Google concluded.
The Wall Street Journal characterizes President Biden’s national security priorities in the new era as cybersecurity, Russian hostility, and Chinese rivalry. Steven Aiello, security and compliance practice director at AHEAD, commented on the direction the summit seems to have set. But he thinks that there will have to be some serious work on resources, human and otherwise, before the US makes progress:
"The additional steps being taken by the U.S. government in response to the increased ransomware attacks are without a doubt a step in the right direction. However, the initiatives cannot be fully executed without a broader attention put on individual organizations to expand cybersecurity resources and personnel.
"Private sector organizations don’t have comprehensive cybersecurity teams in place to make solid use of threat intelligence. At AHEAD, we see a lot of customers lack super robust security teams due to talent shortages. The cybersecurity space in particular is experiencing a negative unemployment rate right now, and the truth is, there’s no ‘one size fits all’ solution for security at organizations – it has to be treated as a process, not a product. So while it’s important to remove barriers and share threat intelligence where possible, I truly believe there isn’t enough talent to effectively act on the information.
"I’m in favor of the majority of the Biden administration’s cybersecurity executive order, but we won’t see optimal success unless there are moves made to address the hiring challenges. The new website, stopransomware.gov, for example, could actually do more harm than good if organizations aren’t equipped with guidelines for answering questionnaires with secure information. There’s also a chance the website further reveals the knowledge gap at organizations based on the questions asked. One way to address the talent crisis and return the industry to a healthy ecosystem would be to add a scholarship program to the list of new initiatives. This would get people involved in a field that lacks professionals, fulfill a dire need and help from a jobs perspective.
"Ultimately, we have the right idea, but there’s a lot more that needs to happen behind the scenes before we begin to see real strides toward addressing the ransomware problem for good."
Such high-level meetings, of course, don't stand alone, and typically represent only a very small fraction of the work, most of which is done in the background. Tim Erlin, VP of strategy at Tripwire commented:
“This kind of high-profile meeting is the tip of the iceberg for a larger effort to change the cybersecurity landscape. It’s clear that the Biden administration wants to shift both the perception and the reality that the United States’ role in cybersecurity is that of the victim.
"Given the makeup of the economy and the country, the government is limited in what changes it can make. Cybersecurity legislation is a heavy tool, but regulation may be necessary to force companies to step up.
"There’s a focus on critical infrastructure, but those organizations buy their technology from commercial suppliers. Securing critical infrastructure requires improvements in the security of those suppliers and their products. It’s an interconnected problem.”
Roger Grimes, data driven defense evangelist at KnowBe4, agrees with the President's statement about the pervasiveness of the digital world:
"President Biden is right. It's hard to find a real-world situation not heavily managed and directed using digital means, which means it's subject to digital attacks. We have ransomware attacks taking out oil pipelines, food plants, hospitals, and entire cities...routinely. Biden's recent executive order was probably the best EO out of all the recent Presidents who have issued EO's on the subject. Of course, the single thing that would have the most and best impact, mandates, seems like it's never going to come. I understand why the White House can't mandate cybersecurity standards...that's the reality of how our government works...it's largely directed by businesses and voters...and American businesses and voters have repeatedly shown that they don't love mandates. So, if you leave out the huge elephant in the room...that voluntary compliance is likely never going to work or at least not work nearly as well, then the ideas and recommendations in Biden's recent EO is the best I've seen. And it replaces mandates with the buying power of the US government and that's a big, important thing. And it includes many things, such as the promotion of clouds and zero trust architectures, that the previous EOs didn't even mention. So, it's a huge improvement over the past one's. I also, think Biden and his administration are trying to figure out how to make more countries accountable for fighting cybercriminals instead of being cybercriminal safe havens. On top of that, the real secret weapon crown jewel is Jen Easterly as Director of the Cybersecurity Infrastructure Security Agency (CISA). She is experienced and sharp as they come. She truly gets what it's going to take to improve national and global cybersecurity, and that means our nation is going to be better prepared as her changes start to take effect. Part of that is her recognition that we have a huge cybersecurity labor shortage. And she's implementing multiple programs recently to start tackling that issue as well. It's an all-hands on-board approach. Look, I've been at this...cybersecurity...for over 34-years. It seems never to get better. Each year is worse than the last. This year for the first time I feel hopefully. I'm not sure if we are going to be better prepared next year than now, but for the first time I think there's a decent chance that we've started to turn the corner. And I don't say that lightly. It's been decades of disappointment. But I think ransomware and some of the other social engineering attacks, like multi-million dollar business email compromise (BEC) scams were the tipping point events we needed to finally get the all-hands approach we needed."
Another comment recognizing the central place digitization has come to occupy in current society came from Jerome Becquart, COO at Axiad:
“This meeting highlights not only the need for cybersecurity support from big tech, but that organizations of all sizes need to start planning for increased compliance in their industries.
"Recent cyberattacks have put focus on Zero Trust solutions that eliminate passwords and introduce secure multi-factor authentication instead, so it is likely that new standards and regulations will require this technology.
"Organizations need to consider how they will integrate new technologies with their legacy systems, and which solutions will enable their IT team and end-users to manage these new tools in a cohesive way. Otherwise they could run into issues later on as they continue to scale their new solutions, as cybersecurity is in a shortage with only 500,000 open jobs in the industry to support the growing needs. This lack of resources and expertise adds to this challenge, which is why businesses need to search for solutions that can mitigate this expertise with autonomous and user-friendly technology.”
Purandar Das, Co-founder and chief security evangelist at Sotero, is gratified by official recognition that the situation with respect to cybersecurity is a serious one:
“This is a really good sign that the administration understands the gravity of the current situation. While the administration clearly understands the potential of the currents threats to wreak havoc on the economy as well the potential to clearly hurt the country in the long term through the loss of intellectual property a side effect, and a very positive one, is that it results in the protection of consumer information. If the current rate at which organizations lose consumer data it has the potential to cause a total loss of trust. This loss of trust could eventually lead to adverse economic impact if consumers decide to stay away from organizations that don’t adequately protect data.
"It has also become abundantly clear that this is not just a problem that is impacting individual organizations. The recent wave of attacks using third party software as carriers is indicative of the enormous risk posed by the interconnected networks. Organizations don’t just operate in siloes. They operated as connected entities that use a plethora of software including those from tech behemoths. Cooperation and increased vigilance is essential. The intervention of the administration is a great step. Additional enforcement has to be the stick. Organizations ought to start thinking of information protection before profits. Assuming that data or information loss as a cost of doing business is probably the biggest block to achieving security goals.”
Finally, Mark Sangster, eSentire's Vice President, Industry Security Strategies, offered a long essay on the direction the US might now take in the aftermath of the White House meetings. He sees the risk has having risen gradually, and as it's being all more dangerous for that:
"As the premise goes, 'drop a frog in a pot of boiling water, it will immediately jump out.' If however, you place the frog in cold water and slowly heat it up to boiling, it will fail to notice the temperature increase, until it's too late. The United States is now the boiling frog. Cybercriminals and adversarial state-sponsored threat actors have been turning up the cyber heat, yet we either haven’t noticed, or failed to react.
"Put another way, we live in a cyber cold war, much like the post–World War II period that lasted decades. In the cyber cold war, adversaries disable pipelines, attack hospital and healthcare labs, steal from industry, and work to erode our trust in each other and our government. In kinetic (traditional) war, military targets are considered acceptable, and civilians deemed collateral (unintended) damage. Yet, we live in a world where everyone is targeted. Banks, law firms, manufacturers, hospitals, retailers--you name it--are the casualties in this cyber cold war.
"At what point will the government have to shift from accepting cyber losses to military response as a deterrent?
"Here are my recommendations:
- "Spread Cybersecurity Awareness in a Clear, Easy-to-Understand Language. Up until recently, many businesses and public organizations didn’t see themselves as a target of cybercrime. Thus, they didn’t take adequate measures to protect themselves. However today--- businesses and public organizations, both large and small and representing every industry, cannot help but be worried about cybercrime because a new cybersecurity breach hits the news outlets almost weekly. Organizations want to take action, but are often confused by the complex landscape of security solutions and services. Federal and state-level government agencies could benefit from investing in widespread PR campaigns that communicate the risk of cyberattacks and provide security measures, in simple, straightforward terms, language that consumers and businesses can follow and use to protect themselves. In the 70s, the animated series, “Schoolhouse Rock!” explained complex processes, like what it takes to pass a bill into law or the fundamentals of English grammar.. Everyone of my generation remembers this first generation of infotainment.
"Can’t we do the same with cybersecurity (using modern context and media) that conveys the risks and protective measures in simple terms? This isn't about clever musical videos, but it is about working with law enforcement and safety boards transitioning from not just educating about physical security but also cybersecurity.
- "The UL warnings of Cybersecurity. We are all used to yellow labels that warn of physical dangers when it comes to household appliances, work tools and even cars. And they are effective. We need the same thing but for cyber warnings. As more and more devices become smart devices (IoT), the corollary exists in the same devices. The government can provide warnings that explain the risk of using a certain Internet-enabled device without proper protection, like unique passwords and multi-factor authentication. Or that cameras, used to protect your home, can also be used to spy on you, if accessed and in the wrong hands.
"This Cybersecurity Safety Standard should also create multi-tiers for IoT devices: 1-for smart consumer devices, 2-for more risky commercial devices used in factories and hospitals (and if accessed by threat actors can cause significant harm), and 3-for critical infrastructure devices like pipelines, airliners, transport trucks, and so on.
"In response to massive data breaches, the European Union created the GDPR rules. Now that criminal activities have evolved to include business disruption, in the U.S., we also need a new set of security rules: General Cyber Protection Rules, which set our standards by which companies can protect themselves and their customers. It's time to consider cybersecurity and safety in the same way we look at physical harm and physical safety. It's another form of workplace safety. Otherwise, signs in the office "It's been X days since our last cyber outage," will become commonplace and the equivalent indicator of workplace injuries.
- "Security by design, not by choice. Internet-connected devices and online services such as retail and streaming, should include security by design, with critical controls set by default, and only disabled after an individual user agrees to a counter warning.
"Passwords and multi-factor authentication should be a default setting. VPN services can also be offered through ISPs.
- "Proactive Guidance and Threat Sharing. Various government agencies have a satellite-high frame of reference and can identify emerging threat trends before they come over the horizon and cause serious damage to businesses and public organizations.
"Proactive warnings and recommendations could thwart many serious cyberattacks.
- "Attribution and prosecution. Much like the “Top 10 Most Wanted” posters, we need the same for cyber risks. Law enforcement could provide real-time, Top 10 lists of the most common attacks, along with the best protective measures.
"One of the key points of the recent Presidential Mandate is to focus on securing the supply chain. We could consider taking some pointers from the Cybersecurity Maturity Model Certification (CMMC), which is required by vendors serving the DOD.
"The Mandate also calls for the establishment of a Cyber Safety Review Board to respond to major events. I think this could operate similarly to the aviation and transportation industries. For example, the NTSB investigates incidents and accidents, they determine all factors involved in a major accident and they make recommendations to prevent a reoccurrence. The FAA then mandates rules and regulations for those organizations and businesses in the aviation industry. I am not advocating a substantial increase in govt. regulations for the technology industry. However, there could be model whereby the Federal Trade Commission investigates all of the major cyber incidents, determines the various tactics, techniques and procedures used by the threat actors, as well as any other key IOCs involved in the incident, and then anonymizes the specific victim orgs, and yet shares with the public, TTPs, IOCs and any other details which will help public and private companies, as well as govt organizations, how to corrective action so that they to do not become a victim."
Nature abhors a vacuum (subsidiarity version).
Protocol observes that local and state governments are the tip of the spear when it comes to attacking regulatory issues ranging from facial recognition and breach reporting to content moderation and market power. For certain stakeholders this is an intentional strategy: partisan legislatures (think New York City and San Francisco) can enact bigger changes than “compromise-dependent Capitol Hill,” changes that immediately impact Big Tech stomping grounds and subsequently shape national policies. Some companies and politicians then angle for Federal regulation to smooth over conflicting and changeable local laws with a uniform standard to mitigate compliance costs and confusion—for both companies and consumers.
As a case study of the trend: the US state of California’s Attorney General this week warned healthcare organizations that state law obliges them to disclose breaches impacting 500-plus residents to California’s Department of Justice. He also endorsed the following baseline security measures: patching, antivirus software, staff education, incident planning, backup maintenance, and unapproved software blocking.
Washington approves some chip sales to Huawei.
Reuters says the Biden Administration has granted blacklisted Beijing firm Huawei permission to purchase “hundreds of millions of dollars” worth of chips for automobiles, in a partial rollback of President Trump’s tough-on-China policies. Senator Marco Rubio (Republican of Florida) called the decision “yet another example of President Biden's failure to protect America's economic and national security.” Huawei is looking to expand further into the commodities market, already making plans to request tenfold more chips in the next round of licensing applications. "We are positioning ourselves as a new component provider for intelligent connected vehicles,” a company spokesperson said. The Biden Administration previously curbed parts sales for applications with 5G functionality, as Reuters reported.