President Joe Biden is holding a summit today with chief executives from a range of top U.S. businesses. Attendees include Apple CEO Tim Cook, Microsoft boss Satya Nadella, Amazon CEO Andy Jassy and the heads of several large U.S. financial institutions, including JPMorgan Chase and Bank of America.
The meeting comes as corporate America faces a rapidly escalating set of cyber threats, ranging from massive data breaches such as the one that recently hit telecoms giant T-Mobile to ransomware attacks that have targeted everything from a critical pipeline business to a large meat-processing company and many smaller outfits.
The attacks have underlined the need for more concerted action across industries—and between the private and public sectors. The problem has become even more acute as hackers have stepped up attempts to compromise managed service providers (MSPs) like Kaseya, which manage tech processes and functions on behalf of corporate customers. Penetrating the systems of an MSP can allow hackers to get access to their clients’ systems too.
The Biden administration has made cybersecurity one of its top priorities, issuing an early executive order on the subject, warning countries such as Russia of repercussions if they harbor hackers and appointing some notable private sector executives to top national security roles. (An example: Jen Easterly, the new head of the Cybersecurity and Infrastructure Security Agency, was previously an executive at investment bank Morgan Stanley.)
Still, there are crucial questions that the business executives attending today’s summit will want answers to. Here are some of the most important ones:
What additional resources is the Biden administration willing to commit to combat hacking?
MORE FOR YOU
Companies, especially smaller ones, don’t have the resources themselves to deal with the panoply of threats they now face. Yet the FBI and other government agencies charged with investigating hacking are being stretched to the limit by the ransomware plague and other cyberattacks. Without a significant increase in resources for deterrence and investigations, the hacking onslaught is unlikely to subside soon.
How far is the government willing to go to deter countries from instigating—or turning a blind eye to—hacking activities?
Last month, President Biden warned that if the country ended up in a “major shooting war” with a “major power,” this could be triggered by a cyberattack on U.S. critical infrastructure. That’s (quite literally) fighting talk, but it’s not clear exactly what red line would have to be crossed digitally to trigger a military response.
Nor is it clear how effective other, less extreme forms of sanctions, such as indicting Russian and Chinese hackers, are in terms of dissuading future attacks. This is a complex area, but business leaders will be looking for signs the Biden administration is thinking creatively in terms of the pressure it can bring to bear on hackers and those who support them.
What extra legal protections is the government willing to provide to companies who voluntarily share data about cyber incidents?
Many industries have set up groups that enable companies within them to share data about cyber threats. By spreading news of threats quickly, these groups help minimize the damage hackers can do. Similarly, the U.S. government is keen to share some threat data with businesses—and wants them to tell it about what they are seeing.
But this is all something of a legal grey area. General counsels are concerned that handing information over about breaches, or even possible breaches, could open businesses up to legal action without sufficiently strong legal safeguards in place. Anything the summit can do to help build confidence here would be a welcome advance.
Is the administration in favor of a federal data breach disclosure regime?
America currently has a smorgasbord of state-level rules covering data breaches and what companies are expected to do if they suffer one. This is both complex and costly for businesses to deal with. There has been talk for years of instituting a federal regime, which would also simplify the task of keeping track of what’s happening in terms of breaches. The leaders attending the summit will be looking for an indication that the administration is willing to promote a federal breach notification law.
These are just some of the key cybersecurity-related questions that U.S. businesses are keen to get answers to from the Biden administration—and it’s almost certainly going to take more than a single summit to resolve them.