The White House summit Wednesday demonstrated positive momentum for both the Biden administration and private sector in terms of their approach to cybersecurity, but also laid bare what remains inadequate, cyber experts said.
The high-profile meeting brought together CEOs from the education, energy, finance, insurance and tech sectors, featuring companies like Amazon, Bank of America and ConocoPhillips. Some pledged billions more in cyber investments, while others committed to providing training and smaller services in response to the administration’s “call to action.”
While impressive, observers noted, those commitments will require considerable follow-up, from expansion to other sectors to policy changes that could emerge from closer-knit relationships between industry and government.
Even as the nonprofit Global Cyber Alliance’s Megan Stifel commended the White House for holding the meeting and the broad commitments that the companies made, she said it illustrated the lengths to which the U.S. can improve national cybersecurity.
“A couple folks have struggled with the idea that we’re going to pat companies on the back for doing things they should already be doing,” said Stifel, a former National Security Council staffer and the alliance’s global policy officer and capacity and resilience program director.
Still, the mere act of holding the summit, which came as Afghanistan consumes headlines, sent an important signal, said Ari Schwartz, a former White House staffer who now serves as manager of cybersecurity services at Venable and leads the Cybersecurity Coalition of cyber firms.
“It’s a good thing to bring in CEOs from the different sectors and make sure they’re paying attention to their most important areas for cybersecurity and continue to help them understand that cyber, with everything going on, is still a top tier issue for” the administration, said Schwartz, who represented multiple clients in attendance at the meeting. “For the White House and the president to be spending an hour of his time with them, that’s important messaging.”
Senate Homeland Security Chairman Gary Peters, D-Mich., said the industry commitments “will not only strengthen their own security, but help protect our critical infrastructure and Americans from these relentless threats.”
Many applauded the incorporation of the education sector and its related pledges, in particular. Besides the meeting with the president, the gathered companies also gathered in sector-by-sector discussions led by top administration officials like Cybersecurity and Infrastructure Security Agency Director Jen Easterly and National Cyber Director Chris Inglis.
New York Democratic Rep. Yvette Clarke, who chairs the Homeland Security’s cybersecurity subpanel, said she was “grateful for the commitments made by our private sector partners to step up their cybersecurity efforts, particularly those centered around our cyber workforce and partnerships with” historically black colleges and universities, a sentiment shared by the full committee chairman, Mississippi Democrat Bennie Thompson.
But Clarke also said there is “more work to be done” on the interplay between government and industry, such as bipartisan legislation she’s working on to establish when businesses must report cyber incidents.
Kiersten Todt, managing director of the nonprofit Cyber Readiness Institute, said “the key will be in the follow-up.” For example, it was smart to include the insurance industry in the meeting given its potential ability to influence cybersecurity, but she would like to see other industry sectors included in future discussions.
“It’s important for everyone to recognize that this was a representative group, but it’s certainly not the comprehensive group,” she said. (Apple, whose CEO Tim Cook attended the meeting, recently joined Todt’s institute, and vowed to promote multi-factor authentication and other security practices among its suppliers.)
The “important set of private sector commitments” that came out of the meeting can pave the way for more needed public-private collaboration on defending collectively and deterring cyber threats, said Jamil Jaffer, a former GOP House Intelligence Committee staffer who now serves as senior vice president at IronNet Cybersecurity.
New York Rep. John Katko, the top Republican on the House Homeland Security panel, said he’d be watching how the companies’ praise-worthy commitments lead to further action.
“These items will require thoughtful and constant focus in the coming months, and we’re curious to hear how these efforts will work alongside existing efforts,” he said, adding that he “looks forward” to ongoing conversations about empowering CISA and safeguarding critical infrastructure.
In other words, this is just the beginning of the discussion, said Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center.
“There’s a lot of appetite on all sides of the issue. But when it comes down to it, what are the mechanisms and the incentive to to be put in place to actually make that happen, who are the people on the ground to actually make that happen?” said Zabierek. “So there’s some good initiative here at the top, and I’m looking forward to seeing how we, as people in industry and academia, really work to fill in that space of the necessary structures and policies to do so.”