The government-industry cyberdefense dance
After assembling a team of tough-minded regulators to take on big technology companies, the Biden administration on Wednesday called on many of those same companies to work with the federal government to address a growing wave of cyberattacks.
Driving the news: A White House summit between President Biden and tech leaders Wednesday, including the CEOs of Apple, Google, Amazon, Microsoft and IBM, concluded with a raft of announcements of new cybersecurity projects and spending plans.
- Microsoft said it would spend an additional $20 billion over five years on "security by design" and offer $150 million in technical services to federal, state and local governments.
- Google plans to spend $10 billion over five years on zero-trust programs and other measures to bolster software supply chains and open-source security.
- Amazon said it would offer the public free access to the same "security awareness training" it provides its employees.
- IBM said it would train 150,000 people in cybersecurity skills over three years and partner with 20 historically Black colleges and universities to create cybersecurity leadership centers.
- Apple said it was starting a new program to enhance supply chain security.
Why it matters: Defending the U.S. against cyberattacks and cybercrime is too big a problem for either government or industry to solve on their own.
- Biden took office in the wake of the widespread SolarWinds breach, which Russia has been widely held responsible for, and since then has dealt with high-profile ransomware attacks that briefly disabled a major U.S. pipeline and a big meat distributor.
Yes, but: It's an awkward moment for the White House to be trying to partner with tech companies that the executive branch is also pursuing with antitrust lawsuits and investigations.
Of note: Facebook was the one tech giant without a seat at the White House table Wednesday.
- The company is fresh off a confrontation with the Biden administration over the spread of COVID-19 misinformation on its platform.
- But Facebook is also the primary online touchpoint for tens of millions of Americans in their personal lives, and any broad cybersecurity project might benefit from the company's participation.
Between the lines: Some observers saw the White House meeting as a signal from Washington to the industry that it needed to take strong voluntary action or face a new wave of regulatory or legislative mandates.
- Many in industry believe that baked-in government rules could hamstring companies trying to adapt to a rapidly changing cybersecurity environment.
- But others view some additional regulation as inevitable.
- IBM CEO Arvind Krishna told Axios Today he supports new cybersecurity disclosure requirements for private companies. "Disclosures will go a long way because once it's transparent, everyone will improve," he said.
Our thought bubble: This needn't be an either/or scenario. Rules can help set minimum security standards, while direct action against cyberattacks will likely need both the industry's technical prowess and the government's international reach and offensive capabilities.
The summit also covered ways to protect supply chains and critical infrastructure, cyber insurance for businesses, and a pressing shortage of workers in the sector, where "nearly half a million public and private cybersecurity jobs remain unfilled," according to a White House statement.
The bottom line: The most successful cyber defense plans are the ones you don't hear much about, because the attacks and disasters they foil never become news. That's why it will take a while before we know whether this week's announcements have any impact — and the less news you see, the more you can assume they're working.