Some of the biggest names in tech are promising to spend more than $30 billion to bolster cybersecurity capabilities, from securing the supply chain and expanding the adoption of the zero trust model to growing the talent pool, ramping up security awareness and revamping parts of the National Institute of Standards and Technology (NIST) framework.
The pledges from the likes of Google, IBM, Apple, Microsoft and Amazon came during a meeting this week with President Biden, who is continuing his push to improve the United States’ security posture in the wake of a series of high-profile and wide-ranging cyberattacks – like those on Kaseya, Colonial Pipeline and SolarWinds – that had broad and costly impacts on both the public and private sectors. The SolarWinds attack affected a number of government agencies, while the Colonial Pipeline ransomware attack nearly shut down the U.S. East Coast and was closely followed by an attack on meat processor JBS.
Biden in May issued an executive order urging companies throughout the country to improve their security postures. The president also launched a 100-day effort to improve cybersecurity in the electrical industry and ordered a framework be developed to improve software security.
Big Tech at the White House
The White House meeting included a number of top tech CEOs, including Apple’s Tim Cook, Microsoft’s Satya Nadella, Amazon’s Andy Jassy, Arvind Krishna of IBM and Sundar Pichai, CEO of both Google and its parent company, Alphabet. There also were a range of top executives from other fields, including finance (JPMorgan Chase, TIAA and US Bancorp), insurance, education, and critical infrastructure water and energy.
At the beginning of the 45-minute meeting, Biden said the private sector and the government needed to work together on this urgent issue.
“Most of our critical infrastructure is owned and operated by the private sector and the federal government can’t meet this challenge alone,” he said. “I’ve invited you all here today because you have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”
Google, Microsoft Pledge Money
At the meeting, Microsoft said it will spend $20 billion over the next five years to speed up efforts to integrate cybersecurity by design and bring to market advanced security solutions. The software and cloud giant also will make $150 million in technical services available to federal, state and local governments to upgrade their security protections.
For its part, Google said it will invest $10 billion over five years to expand zero trust programs – an increasingly popular concept through which organizations need to verify everything inside or outside their perimeters before granting access to their infrastructure – to help secure the supply chain and improve open source security.
Apple will create a new program for improving security in the supply chain, including working with more than 9,000 of its suppliers in the United States to accelerate the adoption of such tools as multi-factor authentication, security training, vulnerability remediation, event logging and incident response.
Further reading: Zero Trust Can’t Protect Everything. Here’s What You Need to Watch.
Security Training and Education Pledged
In addition, there was a strong push among the tech companies to help grow the talent pool at a time when the industry is dealing with a widening security skills gap, making it difficult for many organizations to find trained cybersecurity workers.
IBM said that over three years, it will train 150,000 people in cybersecurity and partner with more than 20 historically black colleges and universities (HBCUs) to create Cybersecurity Leadership Centers to close the skills gap and create a more diverse workforce.
Meanwhile, Microsoft will expand its partnerships with community colleges and non-profit agencies around cybersecurity training, and Google said it will help 100,000 Americans earn digital skills certificates that can lead to good jobs in the security field.
Code.org will teach cybersecurity concepts to more than 3 million students in 35,000 classrooms over the next three years to teach them how to be safe online and to generate interest in careers in cybersecurity. Girls Who Code will create a micro-credentialing program – which will include scholarships and early career opportunities – to people in underrepresented groups.
The University of Texas system will expand existing short-term credentials and develop new ones in cyber-related fields to grow the country’s cybersecurity workforce, including making entry-level cyber educational programs available to more than a million workers in the United States.
Whatcom Community College, recently named the new National Science Foundation (NSF) Advanced Technological Education National Cybersecurity Center, will provide cybersecurity training and education to faculty and support the development of programs for colleges to accelerate students’ journeys from college to their careers.
Amazon is focusing on educating the public, saying it will make the security awareness training it gives employees available for free to the public. It also will offer for free a multi-factor authentication device to Amazon Web Services account holders to protect themselves against such threats as phishing and password theft.
Code Security is Key
In a blog post, Google software engineers Eric Brewer and Dan Lorenc laid out some steps Google has taken to help organizations improve their security capabilities, from software code testing and supply chain integrity to software development.
“Instead of being reactive to vulnerabilities, we should eliminate them proactively with secure languages, platforms, and frameworks that stop entire classes of bugs,” the two wrote. “Preventing problems before they leave the developer’s keyboard is safer and more cost effective than trying to fix vulnerabilities and their fallout. (Consider the enormous impact of the SolarWinds attack, which is predicted to take $100 billion to remediate.) Google promotes designs that are secure by default and impervious to simple errors that can lead to security vulnerabilities.”
Further reading: Neural Fuzzing: A Faster Way to Test Software Security
Varying Levels of Commitment
The long list of promises and initiatives outlined by the tech giants “is a roster of things and all of the things are very different from one another with different levels of commitment,” Chris Gonsalves, vice president of research at Channelnomics, told eSecurity Planet. Pledges from Apple and Amazon to bolster multi-factor authentication do little to move the needle, Gonsalves said.
However, “a number of the vendors on the list have committed serious dollars to getting people trained,” he said. “We all know that there is a cybersecurity skills gap and there’s a real need for basic skills, for folks to staff SOCs [security operations centers], folks to do really basic vulnerability assessments. To up the ante and to move people into those positions, maybe bringing them from IT administrative jobs into more specialized security demands, that’s important from a technology standpoint.”
The push by some vendors to spend money to drive zero trust and improve the basic level of security in their products is important, though it could be argued they should have been doing that already.
“When Microsoft said, ‘Oh, we’re committed to making our products secure and resilient,’ what are you doing now?” Gonsalves said. “That should be part of their charter already. But for them to throw numbers around in the double-digit billions of dollars shows a real commitment there.”
A key point is the recognition by the government and vendors that industrial control systems (ICS) and tech supply chain require special attention, with NIST amplifying its security framework with a specialization around supply chain security and the government making industrial controls a focus.
“This critical infrastructure, a lot of it is in the hands of the private sector, so it really requires this public-private partnership to do it right,” he said.
More Cooperation Needed
Rob Enderle, principal analyst with The Enderle Group, said what struck him was that he didn’t see the vendors promise anything they weren’t already working on. They compete on security and are spending massive amounts of R&D money to make their products secure. That said, the companies can have a big impact given they know their products best and have data showing them how the offerings are being compromised, so they can better secure them.
“Collaboration between the companies, which is occurring, is still likely below what it needs to be given the level of threat, and this meeting may have helped improve that,” Enderle told eSecurity Planet. “Their most significant impact will likely be collectively sharing the nature of new threats and designing AI [artificial intelligence]-based solutions that deal with these current threats and those that will emerge in the future.”
Given the focus on cybersecurity, top security companies that specialize in defending against attacks should have been at the meeting, he said.
“Given the threat is very high for a catastrophic security breach, something that causes hundreds or thousands of deaths like what almost happened to the water system in Florida, it seems we still aren’t taking the threat as a nation seriously enough,” Enderle said.
Further reading: How Zero Trust Security Can Protect Against Ransomware