Attendees’ discussions are expected to focus on expanding the cybersecurity workforce to sate unmet demand for talent, encouraging critical infrastructure providers to enhance their defenses against ransomware and pushing vendors to infuse greater security into their offerings.
The senior White House official said that the Aug. 25 sessions are an opportunity for attendees to air ideas and examine various approaches to incentivize change. Officials also expect to obtain “specific commitments” from companies, and small group breakout sessions are intended to see public- and private-sector officials pin down clear next steps for better protecting the nation.
CYBER WORKFORCE
Public and private organizations struggle to improve their defenses when they simply don’t have enough staff to do the work, and the White House estimates that 500,000 cybersecurity positions remain unfilled.
National Cyber Director Chris Inglis is scheduled to discuss the issue in a breakout session with representatives from higher education institutions and grade school-focused nonprofits. These include Girls Who Code and Code.org, as well as the University of Texas System, Tougaloo College and Whatcom Community College.
CRITICAL INFRASTRUCTURE
Department of Homeland Security Secretary Alejandro Mayorkas and Department of Energy Secretary Jennifer Granholm are meeting in turn with representatives of energy, financial and water sectors to discuss improving the resilience of critical infrastructure.
Members of JP Morgan Chase, Bank of America, TIAA and U.S. Bancorp will represent the financial sector, according to the White House press release. Electric and water sector attendees were not identified.
SECURING TECHNOLOGY PRODUCTS
The White House also wants technology companies to ensure their products are secure before releasing them — rather than relying on later issuing patches and advice to shore up issues.
Designing offerings with security more in mind would mean that final products provide fewer opportunities for bad actors to slip in during the time before the vulnerabilities are repaired. The senior official also said it would reduce demands on customers to keep up with the updates and defend themselves. Small businesses in particular can be burdened by having to install security patches, the official said, and residents who are less comfortable online are especially likely to be put at risk from insecure products.
“We need to bake security in by design into tech, otherwise we’re pushing the cost of maintaining security to the users,” the senior administration official said.
Department of Commerce Secretary Gina Raimondo and Small Business Administration leader Isabella Guzman will tackle this topic in a breakout session titled “Building Enduring Cybersecurity.” They are slated to meet with insurance sector representatives from Coalition, Vantage Group, Resilience and Travelers as well as members of technology firms. ADP, Apple, Amazon, Google, IBM and Microsoft are also scheduled to participate.
LEVERS FOR CHANGE
Meetings that focus only on discussing ideas are unlikely to produce change, so federals officials must also determine how they can best push private partners to turn these recommendations into action. Biden administration officials have tended to avoid jumping straight to regulations but instead have been thus far willing to test a variety of motivational levers.
Biden’s May executive order made an appeal to companies’ bottom lines by restricting federal procurement to only those vendors that meet certain security standards, and the senior administrator official said meeting-goers are expected to discuss how insurance plans can also encourage firms to improve cyber hygiene.
New regulations seem to still be on the table, however. A late-July White House memorandum encouraged critical infrastructure operators to voluntarily adopt certain security improvements, and the senior administration official implied these measures could become obligatory.
“[The memorandum] said, ‘these are the voluntary cybersecurity goals that outline our expectations for owners and operators of critical infrastructure,’" the official said. “And then we want to work with the private sector and Congress to ensure these standards are adopted across the board.”