The Biden Administration held a summit on August 25 with technology, finance, energy and education leaders to discuss ways to bolster cybersecurity, both for individual companies and the nation as a whole. Companies represented included some of technology’s biggest names such as Apple, Amazon, Google, IBM and Microsoft.
Some organizations announced commitments to improve security controls and practices across the supply chain and to invest in education. Apple committed to working with suppliers to drive the adoption of measures such as multifactor authentication and event logging. Google plans to invest $10 billion on zero-trust programs, software supply chain security and open-source security.
Following the event, (ISC)2 conducted a quick online poll of 105 global cybersecurity practitioners to gauge their reaction. Respondents from 43 countries supplied answers to the question: “What is your assessment of the summit at the White House and the cybersecurity commitments made by some of the world’s largest technology companies?” Following are some of the reactions that were reported.
Overall, responses fell into one of three buckets. The first is from those respondents who think this is a positive step in the right direction. The second fall into the category of “cautiously optimistic” but wanting to see more. And the third could be categorized as deeply skeptical of the effectiveness of such initiatives and questioning of public and private sector participants’ motives.
A Good Start
A prevailing sentiment was that the summit represented a good first step – “outstanding,” according to one respondent – to addressing pervasive cyber threats such as ransomware. One respondent called the summit “an essential step towards strengthening our nation's cybersecurity posture.”
Another said, “It confirms that cybersecurity and the well-being and welfare of society in the cyber space is a top priority.”
“This is a good initiative that will undoubtedly help in the fight against ransomware and other forms of cybercrime,” remarked yet another respondent.
Needs Follow Through
The largest bucket of responses revealed some level of ambivalence fueled by cautious optimism. One respondent admitted being “skeptically optimistic,” but is waiting to see “results before I can fully appreciate the effort.” Another called it “a step in the right direction as long as it's not continued unfunded mandates without real security principles and practices.”
Said another: “Until government passes laws causing companies to invest in security and take the matter more seriously, I doubt industry is going to respond enough to make a difference.”
“The commitments made mean nothing until properly implemented and funded,” another respondent remarked.
One respondent called for a unified approach, saying, “Cybersecurity needs a whole of government, industry and community response. Leading tech companies are showing leadership in security where they have control and influence. But some things need to be done or encouraged by government.”
“The summit brought everyone together,” said another respondent, “but I'll wait to see what concrete steps these organizations take to introduce blockchain into email systems, so every email can be traced back to its true origin.”
“I believe that the White House is moving in the right direction. The supply chain should be validated to ensure that products the United States purchases are not procured from untrusted sources. I feel that they fell short regarding holding nation actors accountable for actions performed to disrupt infrastructure resources,” said yet another cybersecurity professional.
One respondent cited workforce development and training as one of the key issues to focus on. “I think that they highlighted the lack of roles in cybersecurity that need to be filled. This may be a good thing for cybersecurity as we do need the additional help, however, how to train up people to perform the work we do today is no easy task. It will be refreshing to see if the White House can create any sort of additional incentive for folks going into cybersecurity to help close the staffing gap.”
This opinion was countered by another who felt that staffing was not as critical of an issue as investment by the business in security programs. “Sitting in the 'trenches' so to speak, I see the right security talent sitting in the chairs, and the right relationships with SOC/security providers in place. What I am not seeing is investment from the business into security. It’s still an 'afterthought'. Money and talent won't change that, it is a cultural change that needs to occur in order for businesses to spend money on security tools that monitor environments such as [Google Cloud Platform], Azure, AWS and many SaaS-based applications.”
A Global Problem
The poll revealed an urgency to address cyber threats globally. A single government cannot address the problem, said one respondent. “When fighting ransomware and cybercrime, there is a need for a more global strategy.”
Another respondent put it more bluntly: “International agreements with penalties for those who don’t act in accordance with international norms are needed.”
Countries need to work together to address cybercrime, said one participant. “It is important to hold cybercriminals accountable. I hope this administration and our allies can continue to make accountability a priority.”
Not Buying In
While optimism seemed to outshine negative responses, some poll participants expressed fatalistic views. Here’s one example: “You can't legislate cybersecurity; laws will always be long since outdated by the time they are passed. Furthermore, politicians don’t understand security.”
Many are skeptical about the government and big tech’s ability to address the problem. Some voiced concerns that cybersecurity may become politicized.
“It was showmanship. Very little policy action… Would love to see some leadership and policy,” said one respondent. Another put it this way: “The commitments were nothing more than platitudes… don’t necessarily provide any real movement to encourage security.”
Another respondent opined the summit should have included more industries. “It would seem that they would have a better assessment of the state of cybersecurity than companies that provide technology resources with the main interest of convenience.”
There was also concern about funding. One respondent said “most organizations that need the help” don’t have the means to strengthen their defenses. Said another: “I think that we need additional funding in order to accomplish our goals in IT as a nation. What they want and what they are willing to pay for don’t align.”
Judging from the responses, it’s clear the industry views the cybersecurity dialogue as a good thing. Many want the discussion to continue.
As one respondent put it: “The federal government's prioritization of cybersecurity is long overdue, and I'm glad that the world's largest tech companies and Biden's administration can get on the same page when it comes to defending America's industrial infrastructure and networks.”