Devil will be in NIST guideline details
The Biden Administration is making it clear that cybersecurity is an issue it intends to focus on for the next four years after revealing during a summit with IT industry leaders that it has directed the National Institute of Standards and Technology (NIST) to work with industry and other partners to craft new guidelines for both building secure technology and assessing it after it is deployed. That directive was made in the company of a diverse range of IT industry executives that promised to answer an appeal made by President Biden to "raise the bar on cybersecurity."
At the same time, the Biden Administration also announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to include natural gas pipelines. That initiative was initially focused on electric utilities.
The cybersecurity pledge made by companies during the meeting included:
Amazon said it would make its cybersecurity training available to the public for free and committed to providing multi-factor authentication capabilities to some cloud computing customers beginning in October.
Microsoft said it will invest $20 billion over five years, a four-fold increase from current rates, to speed up its cyber security work. It also pledged to make available $150 million in technical services to help federal, state, and local governments to help keep their security systems up to date.
Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. The company pledge to drive mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
IBM said it will train more than 150,000 people in cybersecurity skills over three years and will partner with historically African-American colleges and universities to create a more diverse cyber workforce.
Google said it was devoting $10 billion to cybersecurity over the next five years in addition to helping 100,000 Americans earn industry-recognized digital skills certificates.
Girls Who Code announced it will establish a micro-credentialing program for historically excluded groups in technology.
Code.org announced it will teach cybersecurity concepts to over three million students across 35,000 classrooms over 3 years.
The University of Texas System announced it will expand entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute.
Whatcom Community College announced it has been designated the new NSF Advanced Technological Education National Cybersecurity Center, and will provide cybersecurity education and training to faculty in addition to training students
As welcome as these developments are from a cybersecurity perspective, cybersecurity professionals would do well to remember the nine most terrifying words in the English language as identified by former President Ronald Reagan: “I’m from the government and I’m here to help.” The trouble with any guideline is that it creates a minimum standard that organizations will strive to meet but do no more. Lobbying efforts to keep cybersecurity guidelines from being “overly prescriptive” are undoubtedly already underway.
That’s why arguably from a cybersecurity perspective the two most important attendees at the summit hosted by President Biden were from Resilience Cyber Insurance Solutions and Coalition. The two providers of cyber insurance made it clear they will require policyholders to meet whatever guidelines are ultimately crafted. On the plus side, that means the guidelines crafted will have some teeth in the sense they business executives will take note of the fact of what level of security is required to attain cybersecurity insurance to limit the financial damage caused by, for example, a ransomware attack. The devil, of course, will be in the details of the guidelines that are ultimately published by NIST.