Tech giants pledge billions, commit to bolstering public cyber defenses

From an executive order in the spring modernizing the federal government’s digital defenses to a memorandum issued last month outlining security parameters for operators of critical infrastructure, bolstering the nation’s cybersecurity has been a notable focus of the current presidential administration.

At a cybersecurity summit Wednesday, United States tech giants committed to working with local and federal governments to bolster the nation’s digital defenses—pledging to invest billions along the way. Keystone to the endeavor is a collaboration between the National Institute of Standards and Technology (NIST) and leading tech brands with a mission to improve security throughout the tech supply chain.

“The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software,” reads a statement issued by the White House following the summit. “Google, Microsoft, IBM, Travelers and Coalition committed to participating in this NIST-led initiative.”

Brands represented at the meeting included JPMorgan Chase and Apple, among many others.

In a blog post penned collaboratively by Google’s Eric Brewer and Dan Lorenc, the duo referenced statements submitted in response to a previous call put out by the National Telecommunications and Information Administration (NTIA) and NIST “for position papers to help guide adoption of new software supply chain security standards and guidelines,” which meet the standards of President Joe Biden’s executive order issued in May.

Brewer is a professor of computer science at the University of California, Berkeley and vice-president of infrastructure at Google; Lorenc is a software engineer at the California-based software company. Based on researched best-practices implemented at Google, Brewer and Lorenc advocated for a fundamental shift in the nation’s approach to cybersecurity.

“Instead of being reactive to vulnerabilities, we should eliminate them proactively with secure languages, platforms and frameworks that stop entire classes of bugs,” the post reads. “Preventing problems before they leave the developer’s keyboard is safer and more cost effective than trying to fix vulnerabilities and their fallout. (Consider the enormous impact of the SolarWinds attack, which is predicted to take $100 billion to remediate.)”

Wednesday’s summit took place against a backdrop of increasingly sophisticated and frequent cyberattacks against local governments and private entities alike. The year has brought with it some of the most far-reaching ransomeware incidents in U.S. history, such as the Colonial Pipeline attack in the spring, which crippled the southeastern region’s fuel supply chain overnight. In response, the federal government is throwing its fiscal weight into the fray, setting aside $1 billion in the bipartisan infrastructure legislation for cybersecurity, administered through The State and Local Cybersecurity Improvement Act. More recently, the Department of Homeland Security announced a new talent management system intended to address historical and ongoing challenges in recruiting and retaining talent.

In this hidden battle, bolstering national and local defenses is everyone’s job—not just the government’s responsibility—Brewer and Lorenc note: “No single entity can fix the problems we all face in this area, but by being open about our practices and sharing our research and tools, we can all help raise the standards for our collective security.”

As a part of the recently announced federally-led initiative, Google said it will invest “$10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security,” the White House’s statement notes. The tech giant also pledged to “help 100,000 Americans earn industry-recognized digital skills certificates that provide the knowledge that can lead to secure high-paying, high-growth jobs.”

Likewise, Microsoft said it would to put forward $20 billion over the next five years to “accelerate efforts to integrate cyber security by design and deliver advanced security solutions.” In the more immediate term, it will “make available $150 million in technical services to help federal, state and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.”

Following Wednesday’s summit, the Biden administration said it will expand its critical infrastructure cybersecurity guidelines to include natural gas pipelines. Meanwhile, Apple pledged to establish a program among its more than 9,000 U.S. suppliers to drive security improvements like the mass-adoption of multi-factor authentication, security training, incident response and event logging.

Amazon said it will make its employee training programs publically available; Girls Who Code said it will make scholarships and career opportunities more accessible to underrepresented groups; and the cyber insurance provider Resilience said it will require policy holders to meet a threshold of best practices to receive coverage, among other steps taken by various companies.