President Biden convened a meeting at the White House last week to focus on cybersecurity. After months of escalating cyber attacks that have affected critical infrastructure providers, the food supply chain, and even disrupted distribution of COVID-19 vaccines and hospitals at capacity struggling to treat COVID patients, it is time to draw a line in the sand. One thing that is increasingly evident as the lines have blurred for cyber attacks is that cybersecurity is national security.
The meeting included CEOs from 24 leading tech companies, critical infrastructure providers, banks, insurers, and educational institutions. It is unreasonable to expect miracles after meeting for only a few hours—especially when no cybersecurity companies were invited to the table—but the White House announced a number of bold initiatives to get the nation heading in the right direction.
The Biden administration announced that the National Institute of Standards and Technology (NIST) will collaborate with private sector partners to develop a framework to improve security and integrity in the supply chain. They also formally expanded the Industrial Control Systems Cybersecurity Initiative beyond electric utilities to include natural gas pipelines.
Major tech companies agreed to chip-in with a variety of initiatives. Apple will improve supply chain security, Google will expand zero trust programs, Microsoft will accelerate efforts to integrate cybersecurity by design into systems, and Amazon will make its internal security awareness training available to the public for free, just to name a few.
One of the most reassuring facets of the meeting, though, was the emphasis on education and training. The heads of Code.org, Girls Who Code, and the University of Texas were among those invited to the Biden administration meeting. They have announced programs to teach basic cybersecurity to students, expand existing and develop new short-term credentials in cyber-related fields to help address the cybersecurity skills gap, and make scholarships and career opportunities more accessible and available to underrepresented groups.
All of that is very encouraging. The SolarWinds breach, followed by the HAFNIUM attacks against vulnerable Microsoft Exchange Servers, and the massive ransomware attacks against Colonial Pipeline and JBS Meat Packing have demonstrated that the public and private sector must work together. It is time to stop relying on antiquated technologies designed to protect against threats from 20 years ago, and invest in cutting edge prevention, detection, and resilience solutions.
I think we should also address escalating cyber espionage and nation-state cyber attacks by introducing financial regulation of Bitcoin and other cryptocurrencies to fight ransomware and limit the ability to monetize cybercrime, as well as legislation to update the penalties associated with cybercrimes, work with our allies to update treaties for extraditing cybercriminals, and foster global cooperation to fight back.
I recommend that President Biden stress to nation-state adversaries that there will be a cost to attacking US targets. The administration should establish clear rules of engagement for offensive operations and provide the DoD and Cyber Command with the authority and resources necessary to get the job done.
One of our core values at Cybereason is “Win as One.” That philosophy also applies here. We face a constantly evolving and expanding landscape of threats, and increasingly sophisticated attacks that blur the lines between cyber attacks and cyber espionage. It will take a collaborative effort between private sector vendors and government agencies to exchange intelligence and knowledge to improve our ability to fight the rising tide of advanced cybercrime.
Cybersecurity is national security.