In the wake of several high-profile ransomware attacks against critical infrastructure and major organizations in the last few months, President Biden met with private sector and education leaders to discuss a whole-of-nation effort needed to address cybersecurity threats and bolster the nation’s cybersecurity.
Several participants in President Biden's meetings have recently announced commitments and initiatives:
- The National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain.
- The Biden Administration announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to a second major sector: natural gas pipelines.
- Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain.
- Google announced it will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security.
- IBM announced it will train 150,000 people in cybersecurity skills over the next three years, and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.
- Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
- Amazon announced it will make available to the public at no charge the security awareness training it offers its employees.
And those are just the big players. The full list can be found here.
The importance and relevance of each of these is discussed below.
An important attack vector for ransomware that lead to some of the biggest and most costly attacks were supply chain attacks. While not new, these attacks are always interesting because they usually involve highly skilled attacks and make a lot of victims. A prime example of such a case is the MSP provider Kaseya.
You can listen to what went wrong, exactly, in Kaseya on our podcast Lock and Code, with guest Victor Gevers of the Dutch Institute for Vulnerability Disclosure, which found seven or eight zero-days in the product.
The Industrial Control Systems Cybersecurity Initiative
In April 2021, the Biden Administration launched an Industrial Control Systems Cybersecurity Initiative to strengthen the cybersecurity of critical infrastructure across the United States. The Electricity Subsector Action Plan was the first in a series of sector-by-sector efforts to safeguard the Nation’s critical infrastructure from cyber threats. Expanding to gas pipelines may have been prompted by the attack on Colonial Pipeline.
Organizations know that training employees on cybersecurity and privacy are not only expensive but time-consuming. Putting together a cybersecurity and privacy training program that is not only effective but sticks requires an incredible amount of time, effort, and thought in finding out employees’ learning needs, planning, creating goals, and identifying where they want to go.
For organizations to offer that kind of training for free to people outside of their own organization is a big commitment, but it is also hard to make that training effective. The more you know about the environment a student will be working in, the more targeted and effective the training can be.
This type of training can be broken down in a few layers:
- Awareness which is not really training, but making people aware of what dangers are out there. A regular reader of our blog will have a high awareness level, or so we hope.
- Actual training strives to produce relevant and needed security skills and competencies. But as we pointed out, that is hard to do without having specific knowledge about the working environment. What programs the trainees will be using is essential for targeted and effective training.
- Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and pro-active response. Which is a good thing, given the shortage of cybersecurity professionals, but that is not what I’m reading in the announcements.
We are glad about the initiatives and the amount of money and effort willing to be put into the initiatives. Some will certainly be more effective than others and we will certainly do our best to keep awareness levels high.