Via Teleconference
(August 24, 2021)
3:02 P.M. EDT
MODERATOR: Hey, everyone. This is [senior administration official]. So, just — thank you all for joining us today.
As you all remember, last month, we announced that the President was going to host a meeting with private sector leaders on August 25th, which is tomorrow.
On the phone I have [senior administration official]. This information is just for your awareness, not for reporting. This call is on background, attributable to “a senior administration official.” And the contents of this call will be embargoed until tomorrow, 5:00 a.m. Eastern, August 25th. If you’re joining this call, you’re agreeing to the terms of the embargo.
With that, I’ll turn it over to [senior administration official.]
SENIOR ADMINISTRATION OFFICIAL: Thank you so much. Hi, everyone. Good afternoon and thank you for joining us. As you all remember in July, the White House announced the President would be hosting private sector leaders at the White House tomorrow to discuss how we can collectively improve the nation’s cybersecurity.
So I wanted to give you a brief rundown of the day. [Senior administration official] will follow up right after the call, she said, with more detailed logistics and the names of participants. I’m also happy to answer any questions you have at the end of the call.
So, the Biden administration has prioritized cybersecurity since day one.
First, the May 2021 executive order, which has really dramatically reset the game on cybersecurity and both from a federal cybersecurity approach, from a security of software that we all use approach; the Industrial Control System Cybersecurity Initiative, which has already improved the cybersecurity of electric utilities serving more than 90 million Americans; and the National Security Memorandum that the President released in July to improve critical infrastructure cybersecurity.
You know, as you know, that’s just domestic. There’s a lot of other international work — international work with partners, NATO, G7, et cetera, that we’ve done.
However, the federal government can’t drive (inaudible) our own, and in many cases, the private sector is better positioned for reasons of authority or influence. So, the meeting tomorrow reflects the President’s commitment to public-private partnership and won’t be his last engagement with the private sector on cybersecurity. He’s very much committed to this.
Both the U.S. public- and private-sector entities increasingly face sophisticated malicious cyber activity. These incidents affect businesses small and large, small towns and cities in every corner of the country, and can hit the pocketbooks of middle-class families.
In [engagements] [Redacted.] with attorney generals, sessions with mayors, [we] heard loud and clear the issues they’re seeing both in their cities, in their states, but also, they’re hearing from small- and medium-sized businesses.
So, even as we face this growing threat, the skilled cybersecurity workforce we need to meet the challenge hasn’t kept pace. There are approximately 500,000 cybersecurity jobs which are unfilled today.
So, the President recognizes that the escalating cyber threats we face require a whole-of-nation effort, and this meeting will highlight the scope of the challenge we face, but also the opportunities. So, it’s really a call to action.
Tomorrow, the President will meet with leaders from a range of sectors and companies with the power to immediately act to improve our nation’s cybersecurity, specifically from tech, insurance, education, and critical infrastructure.
From tech, the companies participating will be Google, Amazon, Apple, Microsoft, IBM, and ADP. You’ll note that we particularly included ADP because of the services they provide to thousands and thousands of small- and medium-sized companies.
From financial: JPMorgan Chase, Bank of America, TIAA, and U.S. Bancorp.
From insurance: Coalition, Vantage Group, Resilience, and Travelers.
From education, a creative set: Code.org, University of Texas System, Tougaloo College, Girls Who Code, and Whatcom Community College.
So, after the meeting with the President, participants will also join smaller meetings with various members of the President’s Cabinet and national security team for a more informal discussion on concrete steps we can take to improve national cyber posture.
Those discussions will occur in three parallel breakout sessions, specifically:
- “Critical Infrastructure Resilience,” which will be co-chaired by Secretary Mayorkas and Secretary Granholm, with participants across energy, financial, and water
- “Building Enduring Cybersecurity,” which is chaired by Secretary Raimondo and the Small Business Administrator Guzman — participants: tech and insurance. We really see insurance as a way to drive better cybersecurity practices.
- And then the “Cybersecurity Workforce,” chaired by the National Cyber Director. Participants are education leaders.
Following those sessions, the National Cyber Director and I will bring back groups to get a readout of what was discussed and summarize that and provide that to the President.
Before taking your questions, I want to emphasize that tomorrow is a call to action. The federal government can’t solve this complex, growing international challenge alone, and we can’t do it overnight.
For those of you who know me know that we’re sincere when we say that cybersecurity is a matter of national security, the public and private sectors must meet this moment together, and the American people are counting on us.
So, tomorrow is really an important opportunity to drive that forward. And with that, I will take your questions.
Q Hey there. Thank you for taking my question and thanks for doing this backgrounder. I guess my big question is, what exactly you expect to come out of this. Do you have a list of sort of — you know, a wish list that you would like to see the executives you’ve invited agree to? Is there some kind of framework that you want them to agree to observe in the cases of breaches? You know, what exactly will be the outcome of this meeting?
SENIOR ADMINISTRATION OFFICIAL: So, clearly, you know, as you can imagine, this meeting is a sum-up of a lot of work in the last few weeks, working with participants to discuss initiatives. And there will be a set of announcements that will be made tomorrow across the key areas — significantly on technology and talent — made by the participants, both government and private sector. So that’s the first part. Right?
And then, in addition, gathering this kind of group together to discuss the issues will also be an opportunity for new ideas and new discussion. And that’s the — what we plan to take out of those deep-dive sessions. So we have both.
And thanks for the question, Andrea.
SENIOR ADMINISTRATION OFFICIAL: Hi, Dustin.
Q Hi, [senior administration official], good to hear from you again. Thank you for doing this.
Can you just talked a little bit about how much of a dominant theme you expect ransomware to be during tomorrow’s discussions? Is that sort of a key focus still?
And then, can you also provide us an update — or is there any update to provide on the ongoing conversations between the administration and the representatives from Russia, concerning ransomware criminal activity within their borders? Thanks.
SENIOR ADMINISTRATION OFFICIAL: Got it. So, ransomware is clearly one key focus, but we really wanted to take a focus on the enduring — on, really, the root causes of any kind of malicious cyber activity. One, the need to really improve the security in tech, frankly. And then the need to really improve the, you know, putting in place good operational practices. So, if you saw, you know, we kind of are pushing out those aggressively for the federal government.
So that’s, you know — the second aspect is not having enough people. The focus of 500,000 open jobs.
And the final one is just a broad set of vulnerabilities across critical infrastructure. So, we really wanted to make it a discussion of root causes.
Clearly, you know, all of those causes are some of the reasons that ransomware attacks are successful. Right? So ransomware will be a part of the discussion, but we really wanted to take a broader look at various kinds of malicious cyber activity and what we can practically do about it.
And on the second one, you know, clearly that continues to be an area of discussion. As you know, the President established the experts group, and we continue to meet and make progress in that forum.
SENIOR ADMINISTRATION OFFICIAL: Hi, Tim.
Q Hi. Thanks, [senior administration official]. Hi there. What’s your sense of what needs to happen to get the private sector to embrace the approaches that involve asking more of them? We’ve seen some resistance to pipeline regulation ideas and to the terms of incident response notification laws.
SENIOR ADMINISTRATION OFFICIAL: I really love the question, because as you noted, the administration has really taken a whole set of combination of approaches along the spectrum of asking to mandating. Right?
So, in the EO, we mandated certain things to say, “If you want to do business with the federal government, you’ve got to have — you know, you’ve got to build software — critical software to these practices.” And the TSA second directive mandated certain security requirements for pipelines.
While on the asking side, we had the ICS initiative — which I mentioned, you know, serving now 90 million Americans — where companies stepped up and rolled out the cybersecurity technologies we recommended for them.
So, I think here what we’re working to really do is pick carefully the sectors and the leaders who we say, “We need you. The critical services of this country need you.” We need to transition to where technology is built securely by default. We’ve baked in by design. You know, we don’t buy a car and then buy the airbag separately. And it’s — you know, with tech, we need to know we’re buying secure tech.
And then similarly — right? — insurance motivates us to do good practices, you know, whether it’s safe driving, [Redacted.], or a smoke detector in our homes. And we’re trying to brainstorm and say, “Can insurance motivate companies, you know, to do what they need to do, in terms of cyber hygiene.”
So we try to carefully not only ask, but also bring real thought to what are the particular asks and how does this create the ecosystem that moves — that has the right incentives to move things forward.
SENIOR ADMINISTRATION OFFICIAL: Hi, Eric.
Q Hi, [senior administration official]. The seatbelt thing is actually — and the airbags thing is actually a great segue to my question, which is about mandates and laws — because obviously those are safety features that a lot of states do require.
In these conversations, will the administration be encouraging companies to support a cyber incident reporting mandate, which we’ve seen Congress consider? It seems to be the thing that has the most momentum of any kind of regulation right now. Will you be encouraging them to embrace that kind of mandate?
SENIOR ADMINISTRATION OFFICIAL: So, I think you saw in the executive order, we require that any companies, you know, doing business with the federal government share incidents that occur. Beyond that, as I mentioned in the — you know, to Dustin’s question on ransomware, we’re taking just a broader approach to root causes in this discussion and how to really drive more secure tech, drive companies to put in place better practices, ensure we have the talent needed. Those are the focuses of this discussion.
SENIOR ADMINISTRATION OFFICIAL: Hi, Brian.
Q Hi, [senior administration official]. Thanks for doing the call. I’m wondering if you could sort of characterize what commitments the White House may have asked the participants to come to the table with tomorrow. Or is this more of a general conversation to explore possible solutions? In other words, are there specific commitments and deliverables that the companies will be, you know, providing the administration, saying we’re prepared to take these steps today?
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So, there are specific commitments. And I think this was an opportunity to have some, you know, focused discussions around — I think you’ve heard me say many times in the preceding months: We need to bake security in by design into tech, otherwise we’re pushing the cost of maintaining security to the users.
You’re pushing it on small companies who’ve got a patch; you’re pushing it on, you know, older or less educated — or less technically comfortable people on how to be safe online. We’ve got to have more secure tech.
So that was one set of conversations.
You know, we’ve been talking with critical infrastructure, as you know, for quite some time around, “Look, folks, don’t be the next Colonial,” right? Put in place the visibility you need, particularly on your operational technology networks.
So we’ve been having some very focused discussions on those initiatives, and the announcements will relate to those.
But then, as I mentioned earlier, we also just want to have discussions, right? Bring folks in, hear their ideas. The President wants to hear their ideas. So that — there’s that opportunity as well.
Q Hi, thanks for taking the question. I think you may have covered it with a response to Brian. But just in terms of commitments, are you expecting any kind of financial commitments to be announced tomorrow, whether — you know, from the companies or from the government in terms of how much is going to be spent on these initiatives?
And then also, in terms of partnerships with some of the companies — I mean, are we expecting to hear anything about how exactly companies like, say, for example, Microsoft, might work to improve the security of local governments who have been particularly hit by ransomware, given that it’s often traced back to old versions of software, hardware, et cetera? I mean, will we see any sort of concrete steps in that direction?
SENIOR ADMINISTRATION OFFICIAL: You definitely will see concrete steps, but I think there needs to be an element of surprise, folks, when we roll that out. So just to say it’s definitely a set of concrete steps. I’m really — you know, I was really happy to see the commitments folks were making in terms of they are being concrete.
And I think this meeting coming on the heels of — I think it was Dustin who asked me — just a series of, you know, cyberattacks that occurred. And I think the increasing recognition that, you know, each of the things we just talked about need to happen has really, I think, created a sense of urgency.
So, that — you will definitely be seeing a set of concrete announcements also by government, not just by private sector folks. You know, we need both to be successful.
Q Hi, thanks so much for doing this. Two, essentially, follow-ups. One, I know you’re wary of revealing even more about the announcements, but you mentioned that some of them will be around the workforce. Can you tell us anything more about sort of the broad categories of those?
And then, second, to follow up on what I think Tim was asking: The last time we talked, when the memorandum came out, the White House was focusing on the asking side of the spectrum rather than the mandating side of the spectrum. To what extent is that sort of still alive debating, whether Congress would give you that authority? Are you still looking for that authority from Congress, and are you talking with companies about what might happen in a “mandate-y” way if you don’t get what you’re getting in an “ask-y” way?
SENIOR ADMINISTRATION OFFICIAL: So, on the first question, I find the talent aspect exciting because, as you can see — you know, as I mentioned the education elements we invited, we didn’t just go to traditional four-year colleges or even traditional — or even community colleges, right? We went to a broader set of entities to really think creatively.
I mean, to be frank, what makes me so excited about cyber education is the opportunity it offers to Americans of all backgrounds, you know, to — you know, you can get a certification, and you can be tremendously successful in a cyber career and just build those certifications, build (inaudible) skills. You can do a four-year degree. But people have those options.
So I think that’s what’s super exciting, and we really, you know, worked on that in some of the announcements that are coming out.
And on your second question, I think if I — I think if I understood the question — sorry, it’s been a long day — the National Security Memorandum that the President rolled out recently, you know, essentially it played that out. It said these are the voluntary cybersecurity goals that outline our expectations for owners and operators of critical infrastructure.
And then we want to work with the private sector and Congress to ensure these standards are adopted across the board. In other words, “Heads up. This is what we think is reasonable as a threshold of — since you’re an owner and operator of critical infrastructure.” We’re going to work to make sure that these standards are adopted across the board because, you know, we — we, as the government, owe that to the citizens we serve.
But we’d love for you to get a head start and get moving. You know, by the way, you’ll have a voice in the way we run the process for establishing the performance controls, much as (inaudible) did with establishing the standards for critical software coming out of the executive order.
We literally had, I think, over a thousand people participating in those workshops to get the input. So it wasn’t government going into a room and locking the door; it was, “No, let’s work with the private sector to set good thresholds for what this needs to be so that we know it’s achievable, reasonable, and effective.”
MODERATOR: Thanks, everyone, for joining. Just as a reminder, this call was on background, attributable to a “senior administration official,” and the contents of this call are embargoed until tomorrow, 5:00 a.m. Eastern, Wednesday, August 25th.
If you did not get a chance to ask your question, please reach out to me via e-mail and we’ll make sure to get you a response back.
Thanks, everyone, and have a good day.
3:22 P.M. EDT