Biden Says Cybersecurity Is The ‘Core National Security Challenge’ At CEO Summit, Experts Reacted

BACKGROUND:

Yesterday, President Biden hosted executives from major technology, financial, and energy companies for a summit on national cybersecurity, calling the issue “the core national security challenge we are facing.” Speaking to reporters briefly at the start of the meeting, Mr. Biden highlighted estimates that roughly half a million cybersecurity jobs in the U.S. are currently unfilled and stressed the private sector needs to do more to safeguard digital systems from criminal and state-backed hackers and spies. “The federal government can’t meet this challenge alone,” Mr. Biden said. “I’ve invited you all here because you have the power, the capacity, and the responsibility, I believe, to raise the bar on cybersecurity.”

Subscribe
Notify of
guest

6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Tony Cole
Tony Cole , CTO
InfoSec Expert
August 27, 2021 11:53 am

<p>It\’s great that the President has called a meeting to discuss cybersecurity, however we need a lot more than just a discussion. There have been some very good steps as of late with Chris Inglis and Jen Easterly confirmed and now in their roles at the WH and CISA (respectively) and the President\’s Executive Order on cyber now in place. What we need is a more effective public strategy on deterring attackers and a prime focus on detection. Prevention is critical and can\’t be overlooked however quick detection of attacks is critical to mitigating damage. Something that still isn\’t talked about a lot. Look at MITRE ATT&amp;CK and MITRE Engage/MITRE Shield, the yin and yang of attack and defence. Then instrument your enterprise accordingly because just another large meeting won\’t fix these major challenges facing every organization.</p>

Last edited 1 year ago by Tony Cole
Demi Ben-Ari
Demi Ben-Ari , CTO
InfoSec Expert
August 27, 2021 11:51 am

<p>President Biden’s meeting with CEOs of major companies at the White House delivers an important message: The government and the private sector must work closely together to create accepted standards and procedures to ensure robust cybersecurity. Ultimately, however, that responsibility does not rest merely with the government and leaders of large corporations. To effectively combat cyber threats, all companies in every industry and of every size must implement effective processes to ensure that they—as well as their supply chain partners—have a strong cyber posture. These processes include a combination of comprehensive attack surface assessments and automated security questionnaires, as well as continuous monitoring to alert of any cyber threats.</p>

Last edited 1 year ago by Demi Ben-Ari
Roger A. Grimes
Roger A. Grimes , Data-Driven Defense Evangelist
InfoSec Expert
August 27, 2021 11:50 am

<p>President Biden is right. It\’s hard to find a real world situation not heavily managed and directed using digital means, which means it\’s subject to digital attacks. We have ransomware attacks taking out oil pipelines, food plants, hospitals, and entire cities…routinely. Biden\’s recent executive order was probably the best EO out of all the recent Presidents who have issued EO\’s on the subject. Of course, the single thing that would have the most and best impact, mandates, seems like it\’s never going to come. I understand why the White House can\’t mandate cybersecurity standards…that\’s the reality of how our government works…it\’s largely directed by businesses and voters…and American businesses and voters have repeatedly shown that they don\’t love mandates. So, if you leave out the huge elephant in the room…that voluntary compliance is likely never going to work or at least not work nearly as well, then the ideas and recommendations in Biden\’s recent EO is the best I\’ve seen. And it replaces mandates with the buying power of the US government and that\’s a big, important thing. And it includes many things, such as the promotion of clouds and zero trust architectures, that the previous EOs didn\’t even mention.</p>
<p>So, it\’s a huge improvement over the past ones. I also, think Biden and his administration are trying to figure out how to make more countries accountable for fighting cybercriminals instead of being cybercriminal safe havens. On top of that, the real secret weapon crown jewel is Jen Easterly as Director of the Cybersecurity Infrastructure Security Agency (CISA). She is experienced and sharp as they come. She truly gets what it\’s going to take to improve national and global cybersecurity, and that means our nation is going to be better prepared as her changes start to take effect. Part of that is her recognition that we have a huge cybersecurity labor shortage. And she\’s implementing multiple programs recently to start tackling that issue as well. It\’s an all-hands on-board approach. Look, I\’ve been at this…cybersecurity…for over 34-years. It seems never to get better. Each year is worse than the last. This year for the first time I feel hopefully. I\’m not sure if we are going to be better prepared next year than now, but for the first time I think there\’s a decent chance that we\’ve started to turn the corner. And I don\’t say that lightly. It\’s been decades of disappointment. But I think ransomware and some of the other social engineering attacks, like multi-million dollar business email compromise (BEC) scams were the tipping point events we needed to finally get the all-hands approach we needed.</p>

Last edited 1 year ago by Roger A. Grimes
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
InfoSec Expert
August 27, 2021 11:48 am

<p>This kind of high-profile meeting is the tip of the iceberg for a larger effort to change the cybersecurity landscape. It’s clear that the Biden administration wants to shift both the perception and the reality that the United States’ role in cybersecurity is that of the victim. Given the makeup of the economy and the country, the government is limited in what changes it can make. Cybersecurity legislation is a heavy tool, but regulation may be necessary to force companies to step up. There’s a focus on critical infrastructure, but those organisations buy their technology from commercial suppliers. Securing critical infrastructure requires improvements in the security of those suppliers and their products. It’s an interconnected problem.</p>

Last edited 1 year ago by Tim Erlin
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
August 27, 2021 11:46 am

<p><span lang=\"EN-US\">After months of escalating cyberattacks engineered by nation state sponsored groups against public and private sector companies, critical infrastructure providers and organisations distributing COVID-19 vaccines, Wednesday’s cybersecurity focused meeting at the White House is long overdue.</span></p>
<p><span lang=\"EN-US\">The 24 CEOs from leading tech companies, banks, insurers, critical infrastructure providers and educational institutions with a seat at the table with President Biden for one hour don’t need a reminder that anyone and everyone will be hit as their companies face a daily barrage of cyberattacks. Interestingly, Wednesday’s meeting included a one-hour meeting with the President followed by three breakout sessions focused on risk assessment, critical infrastructure and cybersecurity education/training. </span></p>
<p><span lang=\"EN-US\">If we have learned anything since the SolarWinds breach opened the floodgates, the public and private sector needs to invest now to ratchet up prevention and detection and improve resilience. We can meet fire with fire. Sure, the threat actors will get in, but so what. We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can, in short, make material breaches a thing of the past. So, what if they get a toe hold on the ramparts. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses.</span></p>
<p><span lang=\"EN-US\">My memo for President Biden with suggestions on curbing the onslaught of cyber threats, includes:</span></p>
<ol>
<li><span lang=\"EN-US\">Working the international relations front. That means ambassadors engaging, treaties updated for extradition, use the tools of the government for goodwill here and treat them as we would a drug czar or terrorist grandee. If the UN could get together to ban travel to Iraq and Syria because of ISIS in 2015, go do something like that now.</span></li>
<li><span lang=\"EN-US\">Authorize the DoD and Cyber Command to engage with clear rules of engagement in offensive operations. Develop these in partnership with the industry and make it clear there\’s a cost to hacking U.S. targets as bad or worse than other crimes against U.S. persons and entities.</span></li>
<li><span lang=\"EN-US\">Sponsor a bi-partisan bill to update the penalties associated with cybercrime of all sorts.</span></li>
<li><span lang=\"EN-US\">Task DARPA (and other government innovation centers) with stimulating innovation in new technologies specifically around supply chain risk upstream, new methods of prevention, new methods of detection, etc.</span></li>
<li><span lang=\"EN-US\">Take a leadership role in public/private/academic collaboration and task them with developing new strategies, new standards, new ways of collaborating, etc.</span></li>
</ol>

Last edited 1 year ago by Sam Curry
Information Security Buzz
6
0
Would love your thoughts, please comment.x
()
x