President Biden staged a big photo op yesterday at the White House to discuss how to improve cybersecurity. As we all know, those kind of meetings, no matter which party is in the Big House, are not actually done to accomplish things, they are for show. So what came out of this dog and pony event? Actually a couple of things might, possibly, have some substance.
- NIST will collaborate with industry to develop a new framework to improve the security and integrity of the tech supply chain. The good news is that Microsoft, Google, IBM, Travelers and Coalition (insurance) agreed to participate. The bad news is that the standard will be voluntary. For now. The Prez could sign an EO making it mandatory for executive branch departments AND THEIR VENDORS.
- The administration is expanding the industrial control systems (ICS) cybersecurity initiative to natural gas pipelines. The TSA, which has responsibility for regulating pipelines and has a very cozy relationship with the pipeline operators, probably got taken out to the woodshed.
- Apple agreed to establish a new program to improve the security of their supply chain, which includes more than 9,000 vendors in the U.S. They are going to shove MFA, security training, vulnerability remediation, event logging and incident response down their vendors’ throats. Generally good for industry. Probably not as exciting if you are an Apple supplier. Depending on whether they actually enforce it.
- Google announced it will spend $10 billion over five years to expand zero-trust programs, help secure the supply chain and enhance open source security. It will also help 100,000 people earn certificates related to cybersecurity. Who? Unknown. What? unknown. When? Unknown. You get the idea. How much of that $10 billion were they already spending? Unknown.
- IBM says it will train 150,000 people in cybersecurity skills over the next three years (are they going to tell people don’t click on links?). They will also partner with historically black colleges to establish cybersecurity leadership centers. Whatever that means. Could, possibly, be good.
- Microsoft will spend $20 billion over 5 years to integrate cybersecurity by design and build cybersecurity products to sell you and me. They will also make the equivalent of $150 million of their staff’s billable time to help government agencies improve their horrible security practices. They will also expand their partnerships with community colleges and non-profits on cybersecurity training. Who, what, when, how all undefined. Is this a penny more than they have been spending? Also unknown.
- Amazon will make the security awareness training it uses internally publicly available for free. Depending on how good that is, that could be a win. They are also going to give away some multi-factor authentication hardware tokens.
- Now here is something that will make some people UNhappy. Resilience insurance said it will require policy holders to meet a threshold of cybersecurity best practices if they want to keep their insurance policies. Or get a new one. Not clear what that threshold is.
- Coalition insurance said it will make its cybersecurity risk assessment tool (this is a tool that looks at publicly visible data to detect problems. There are a number of people who do this, but they charge a lot of money. If they give this away for free, that is good) available to anyone for free and it will also make its continuous monitoring platform available for free. Depending on what is in it, that could be very useful.
- Code.org says it will teach cybersecurity concepts (again, don’t click on links?) to over 3 million students in 35,000 classrooms over 3 years. Were they doing this already? Don’t know.
- Girls Who Code, a non-profit who works to increase women in tech, (A passion that is shared by super-model Karlie Kloss’ Kode With Klossy who, yes, codes, and runs a coding bootcamp for girls only every summer). announced a micro-credentialing program for historically underrepresented groups. This is great, but I don’t know if this is an increase over what they were doing.
- The University of Texas said it will expand an existing and develop new short-term credentials in cyber-related fields to increase the workforce. They are going to do it through their UT San Antonio’s cybersecurity manufacturing innovation institute. This is outside a normal college degree program, but it is not clear how it will work.
- Whatcom Community College said it will be a new National Science Foundation Advanced Technological Education National Cybersecurity Center. They will provide education and training to faculty and support program development to make cyber education in colleges more practical. Again, who, who, where, when, how much all undefined.
While I am a bit skeptical as you can tell, you can’t argue with the concepts.
We need to keep these company’s feet to the fire to make sure that they follow through.
Credit: The White House