WASHINGTON – President Joe Biden called on the leaders of prominent businesses including Apple, Google and JPMorgan Chase to do more to respond to cybersecurity threats during a meeting Wednesday at the White House.
“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said. “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do.”
Biden raised concerns that these challenges are compounded by the shortage of cybersecurity professionals, as the White House estimates roughly half a million cybersecurity jobs remain open, amid an onslaught of cybersecurity attacks.
Along with key members of his Cabinet and national security officials, Biden sought to address the “root causes of any kind of malicious cyber activity,” a senior administration official told reporters, amid a devastating wave of high-profile attacks.
Topics on the agenda included ransomware, the shortage of cybersecurity professionals and building software and devices with default security protections. The administration pressed firms in critical sectors, such as water and energy, to improve their protections to prevent a repeat of the Colonial Pipeline hack, which in May disrupted fuel supplies in the eastern United States, the official told reporters.
Apple CEO Tim Cook, IBM CEO Arvind Krishna and Alphabet CEO Sundar Pichai sat to Biden’s right as he addressed the executives, who were seated around a square table in the White House East Room. Amazon CEO Andy Jassy, JPMorgan Chase CEO Jamie Dimon and chief executives from major insurance, energy and water companies were in attendance, according to a list provided by the White House. Representatives from nonprofit organizations focused on computer science education, including Code.org, and several colleges have been summoned to discuss efforts to bolster the cybersecurity workforce, as about 500,000 U.S. cybersecurity jobs remain vacant. (Amazon founder Jeff Bezos owns The Washington Post.)
Amid a scourge of ransomware attacks and other hacks hitting businesses nationwide, the meeting marks one of the most high-profile displays of the Biden administration’s mounting pressure campaign on companies across economic sectors to do more to shore up their systems against cyberattacks. The gathering, which the White House first announced last month, highlights a growing recognition of the key role companies have to play in defending the United States against major cyberattacks, predominantly by bolstering their own defenses.
“We’ve seen time and again how the technologies we rely on from our cellphones to pipelines to the electric grid can become targets of hackers and criminals,” the president said.
A White House official, who was not authorized to speak publicly about the event, signaled that Wednesday’s meeting would be just the beginning of Biden’s outreach to the private sector, saying this won’t be Biden’s “last engagement” on these issues.
The administration announced that it would work with industry to develop new guidelines to help both companies and government agencies build secure technology, and assess the security of existing technology. Microsoft and Google, as well as insurance providers Travelers and Coalition, committed to participate in this initiative.
By hosting a high-profile gathering with a who’s who of the country’s most powerful leaders, the White House is demonstrating that cyberattacks are an “existential issue,” said Ari Schwartz, who was a White House cybersecurity official in the Obama administration.
“They could have had 25 cybersecurity companies there, but they focused on these companies instead because they’re trying to get a message home,” he said.
Schwartz noted that it was significant that the administration included multiple cybersecurity insurance companies in the discussions. One of the providers that participated in the meeting, Resilience, announced it will require policyholders to adopt certain cybersecurity best practices as a condition of receiving cyber insurance.
Schwartz says if insurance companies base their policies on the cybersecurity practices that businesses have in place, they could force better behavior throughout the industry.
“You’re going to end up with insurers telling companies what they can do to prevent the next attack,” he said.
Many executives in attendance at Wednesday’s meeting have been at the helm of companies during major security breaches. JPMorgan Chase suffered one of the largest breaches in 2014, when it revealed more than 76 million households and 7 million small business were affected by an attack of its computer systems. Tech including Apple and Microsoft, are routinely targeted by hackers. Microsoft disclosed earlier this year that a security flaw in its email servers was exploited by a group of Chinese government hackers, affecting at least 30,000 public and private entities in the United States alone. And a Washington Post investigation recently found that iPhones built by Apple, which has marketed its devices on claims that it offers better security than rivals, were vulnerable to spyware produced by Israel’s NSO Group.
Notably, the White House guest list did not include recent victims of high-profile hacks, including Colonial Pipeline or T-Mobile, which suffered a data breach earlier this month that exposed the personal information of more than 40 million people.
Companies seized on the spotlight to unveil a series of commitments to improve cybersecurity, within their own products and beyond. Microsoft announced it would increase its spending on integrating cybersecurity in its products, investing $20 billion over the next five years into such initiatives. The company had previously said it would spend $1 billion a year on cybersecurity. It also will make $150 million in technical services to help federal, state and local governments upgrade their cybersecurity protections.
Google announced a similar $10 billion commitment over the next five years to strengthen the cybersecurity of its products and supply chain. Apple said it would start a new program to ensure the security of its supply chain, by requiring its more than 9,000 U.S. suppliers to adopt practices such as security training.
Many of the corporate initiatives focus on the shortage of cybersecurity professionals. IBM promised to train 150,000 people in cybersecurity skills, and work with historically Black colleges and universities to establish centers focused on cybersecurity. Google committed to train 100,000 Americans in fields including IT support and data analytics. Amazon said it would make the cybersecurity training it developed for its own employees publicly available, and it would offer some of its cloud service customers a free multi-factor authentication device. Financial services company TIAA announced a partnership with New York University, which will enable its employees to obtain cyber master’s degrees for free. Code.org said it would train more than 3 million students in cybersecurity concepts in the next three years.
Biden has been dogged by cybersecurity crises, taking office just weeks after a far-reaching Russian hacking campaign on federal agencies and prominent companies, including Microsoft, came to light. In the months since his inauguration, the administration has scrambled to respond to blockbuster ransomware attacks that have hit schools, meat processors, local governments and small businesses, in addition to the Colonial Pipeline.
The administration has taken a number of steps to shore up critical industries in response, including creating a voluntary program that outlines how energy, transportation and agriculture companies should protect themselves against digital attacks. And the White House earlier this summer mandated that pipelines adopt specific protections to prevent ransomware attacks. During his opening remarks at Wednesday’s event, Biden said he has discussed recent cyberattacks with Russian President Vladimir Putin earlier this year, saying he “made it clear to him that we expected him to hold them accountable as well.”
“They know where they are and who they are,’ Biden said.
That threat of regulation could be a driving force behind companies’ attendance at the summit and willingness to partner with the administration on key initiatives.
“We’ve had a decade or more for industry to do voluntary [cyber] standards and it hasn’t emerged,” Michael Daniel, the president of Cyber Threat Alliance and a former White House cyber coordinator during the Obama administration, said in an interview. “So I think the government saying, ‘Look, we’ve got to get serious about this and either you guys need to do it or we have to look at mandatory approaches,’ is an appropriate place to be.'”
When asked about whether Biden would support legislation that would mandate companies to report cybersecurity incidents, White House press secretary Jen Psaki gave no firm answer, but said the White House would review any proposals that Congress advances.
“Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices and the private sector to take steps to harden their own cybersecurity,” she said during Wednesday’s briefing with reporters.
After meeting with the president, industry officials are meeting in breakout sessions. Homeland Security Secretary Alejandro Mayorkas and Energy Secretary Jennifer Granholm are meeting with energy, financial and water companies to discuss the resilience of critical infrastructure. National Cyber Director Chris Inglis leads the meeting with education leaders about the shortage of cybersecurity workers, and Commerce Secretary Gina Raimondo meets with tech and insurance executives about building long-term cybersecurity.
“We need to transition to where technology is built securely by default, we bake in security by design,” the White House official said. “We don’t buy a car and then buy the air bag separately. We need to know we’re buying secure tech.”
Wednesday’s summit is largely a signal from the president to the private sector that he cares about cybersecurity issues, said Emily Harding a senior fellow at the Center for Strategic and International Studies. It also signifies the current onslaught of hacks will likely be addressed in the future with legislation and executive orders.
“Summits like this are messaging opportunities more than policymaking opportunities,” she said. “I would expect the big movements on things like this to come later.”
– – –
The Washington Post’s Sean Sullivan contributed to this report.