Tech companies pledged substantial investments at the White House summit Wednesday, where they joined education leaders and the Biden administration to discuss government initiatives to modernize cyberdefenses.
Microsoft and Google pledged a combined $30 billion in funding over the next five years. The meeting focused on securing the supply chain and combatting threats against critical infrastructure, highlighted by this year's attack on the U.S. Colonial Pipeline. Additionally, the big investments represent the next step in the growing partnership between the government and the private sector.
The Biden administration has expressed the role it believes the private sector must play in securing cyberdefenses. In the executive order signed by President Joe Biden in May, one priority was to remove barriers to threat information sharing between the government and private sector. It was highlighted again on Wednesday when Biden said that most of the U.S.'s critical infrastructure is owned and operated by the private sector, and "the federal government can't meet this challenge alone."
The large financial backing from the tech giants came as no surprise to infosec experts.
"Overall, the committed contributions have more ceremony than substance. Most are aligned with initiatives already underway, with a few exceptions," said Dave Gruber, an analyst at Enterprise Security Group, a division of TechTarget. "Google and Microsoft each have much to gain from their contributions."
Private sectors invest in the future
There were other helpful commitments as well. Chris Steffen, research director at Enterprise Management Associates Inc. (EMA), told SearchSecurity that he is excited to see that the Biden administration is trying to follow through on some of the recommendations that came from the May executive order. The initiatives mesh with the research that EMA has been conducting on trends in the cybersecurity space. That includes zero-trust security models.
Part of Google's $10 billion pledge includes expanding zero-trust programs, which have gained popularity following COVID-19 and the move to remote work. Steffen said EMA recently conducted a survey that showed that more than 72% of enterprises are deploying or evaluating a zero-trust project.
Increasing cybersecurity technical training was another significant takeaway from the meeting to discuss cyberdefenses, where Biden said the" skilled cybersecurity workforce has not grown fast enough to keep pace" as cybercriminals increasingly target everything, from cell phones to pipelines.
For Steffen, a pledge by IBM to train upwards of 150,000 in cybersecurity skills was particularly important. According to Steffen, EMA found that about a quarter of enterprises (24%) indicated the availability of applicants with desired skills/experience in cybersecurity was one of the most significant challenges they faced when hiring for cybersecurity. However, Gruber said IBM had previously announced the program, and it had been underway for a while.
Microsoft also promised to promote cybersecurity training. In addition to a $20 billion pledge to accelerate efforts to integrate cybersecurity by design and deliver advanced security solutions, the vendor announced it will expand partnerships with community colleges and nonprofits for cybersecurity training.
"The investments in zero-trust by Google and the cybersecurity training investments made by IBM will have significant impacts on the tech industry in the future," Steffen said in an email to SearchSecurity.
Jon Oltsik, senior principal analyst at Enterprise Strategy Group, a division of TechTarget, said the industry is at a tipping point with security. Big businesses spending billions appears to be an investment into their future.
A major cybersecurity event on critical infrastructure impacting consumers could in turn affect the whole technology industry, slowing down the move toward digital transformation.
Jon OltsikSenior principal analyst, Enterprise Strategy Group
"A major cybersecurity event on critical infrastructure impacting consumers [power outages, bank takedowns, etc.] could in turn affect the whole technology industry, slowing down the move toward digital transformation. These big companies recognize this and have the resources to do something about it," Oltsik said in an email to SearchSecurity.
More work needed to secure the supply chain
Supply chain threats were another topic at the meeting. The potential danger to supply chains was seen in the recent attacks on SolarWinds and Kaseya, which specialize in remote management software. Helping to secure the software supply chain was part of Google's hefty investment pledge.
During the meeting, Apple also announced it would establish a new program to drive continuous security improvements throughout the technology supply chain. Apple said it would work with its suppliers, including more than 9,000 in the U.S., to drive the mass adaptation of multi-factor authentication, security training vulnerability remediation, event logging and incident response. However, Gruber told SearchSecurity that the vendor's commitment to drive improvements in the supply chain seems weak compared with others, such as the National Institute of Standards and Technology (NIST).
The government agency has pledged to collaborate with industry partners to develop a new framework to improve the security and integrity of the technology supply chain. According to the White House briefing, the approach will serve as a guideline to public and private entities on how to build secure technology and asses the security of technology, including open source software. Major tech players already committed to participating in the initiative include Microsoft, Google and IBM.
"Updating the NIST framework to outline an approach to securing the supply chain will definitely add value over time," Gruber said in an email to SearchSecurity. "It's long overdue."
