Politico

Exclusive: Biden’s cyber leaders go to Silicon Valley for more help fighting hackers


Senior Biden administration officials met in Silicon Valley on Monday with key technology and cybersecurity companies as part of a push for more help from the private sector in fending off increasingly aggressive hackers working for adversarial regimes and criminal gangs.

Homeland Security Secretary Alejandro Mayorkas, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, National Cyber Director Chris Inglis and other officials met with executives from 13 companies, including Google, networking vendor Juniper Networks and security firm Mandiant. Their aim was to deepen relationships between government and industry that security professionals see as vital for protecting the nation’s critical infrastructure.

The government already has strong relationships with some companies, such as Microsoft, that routinely warn officials about cyberattacks and help neutralize them. But Monday’s meeting is part of a charm offensive aimed at growing the ranks of the government’s industry allies and improving how efficiently they work together.

These partnerships could offer the Biden administration a new weapon against ransomware — one that doesn’t rely on cooperation from Russian President Vladimir Putin, whose nation shelters many ransomware operators and with whom Biden is set to discuss cyber and other issues on Tuesday.

“This is about taking a spirit of partnership and moving into actual operational collaboration,” Mayorkas said in an interview with POLITICO. The aim, he said, is “to increase the cyber hygiene not only of the government” but also companies with a wide range of expertise and resources.

A DHS official, who spoke anonymously in keeping with department policy, said the meeting was part of an effort to “get to the point where government and the private sector are working day in and day out on understanding, analyzing, and then mitigating the most urgent threats that we’re seeing.”

Officials also sought to ensure that corporate leaders viewed collaboration with the government as a priority and understood how it could benefit them and the entire technology ecosystem.

When the government asks companies to do more, the DHS official said, that requires them to spend more money, and many companies wonder how they will benefit from doing so. The Biden administration saw Monday’s meeting as a chance to answer that question.

“There were concerns expressed with respect to … the value proposition,” Mayorkas said. But he said participants mostly expressed appreciation for how the government was addressing those concerns, including about the quality and quantity of threat information shared with the private sector.

The companies also brought up the challenge of protecting firms that lack knowledge about threats or resources to mitigate them, Mayorkas said.

As it enters its fourth year as a full-fledged agency, CISA has pushed hard to collaborate with more companies in more intensive ways, including by situating private-sector analysts in government watch centers to smooth the process of sharing information.

Under Easterly, CISA has launched the Joint Cyber Defense Collaborative, a forum for cooperative cyber defense planning with companies at the heart of operating and securing the internet’s infrastructure.

The JCDC can demonstrate why it’s beneficial to collaborate closely with the government to fight cyber threats, Mayorkas said. He said executives at the meeting praised its potential to expand the pool of companies sharing data with the feds.

Easterly, Inglis and other cyber officials have crisscrossed the country for months with a message for corporate chiefs: Cybersecurity isn’t just an issue for your IT staff; it’s an issue for your CEO and your board. “This is a business risk issue,” the DHS official said, and it should be “at the top of the list of risks that CEOs [and] board directors are managing.”

Monday’s 90-minute meeting took place at the Four Seasons hotel in Palo Alto, Calif., according to Sarah Kuranda, a spokesperson for the cyber-focused venture capital firm NightDragon, whose founder Dave DeWalt helped organize the event. The meeting included a threat briefing, updates on the JCDC and a soon-to-be-established Cyber Safety Review Board, and an open discussion.

In addition to Google, Juniper and Mandiant, companies present included AT&T and tech firms Cloudflare, VMware and Lumen, a DHS spokesperson said.

Besides the senior officials, other government participants included Robert Silvers, the DHS undersecretary for policy; Eric Goldstein, who leads CISA’s cyber division; DHS Chief Information Officer Eric Hysen; and Tim Maurer, a cybersecurity adviser to Mayorkas.

Officials used the meeting to gather early feedback about the JCDC and solicit input about “our ideas for the future,” Mayorkas said..

Monday’s gathering in Silicon Valley came on the cusp of the one-year anniversary of the public disclosure of the SolarWinds cyber espionage campaign, in which Russian government hackers exploited a flaw in widely used IT management software to crack open the networks of at least nine government agencies and roughly 100 companies.

The sweeping and sophisticated campaign, revealed in the waning hours of the Trump administration, served as a wakeup call for President Joe Biden’s national security team and informed a raft of cybersecurity announcements from his administration in the months that followed. Chief among those actions was an executive order that sought to overhaul the digital architecture of the federal government and inspire similarly aggressive reforms in the private sector.

The government is now much better prepared for another complex SolarWinds-style supply chain attack, the DHS official said.

“We have a far deeper level of collaboration than I think we had a year ago,” the official said, primarily due to “progress over the past six months.” But, this official added, “There’s not going to be a point where we say, ‘We’re done here, operational collaboration is fully maximized,’” because defenders will always be adapting to hackers’ shifting tactics.

Multiple administrations have tried to turn “public-private partnerships” into something more than a talking point, but the Biden administration believes it has succeeded where its predecessors mostly failed, even as attacks continue to mount.

The DHS official offered two reasons for why this time was different. First, they said, Biden’s team has focused on building ties with the handful of companies that have the greatest visibility into the threats coursing across the internet, including through planning that goes beyond the crisis of the moment. Second, the official said, “there’s a level of senior focus on this specific issue of operational collaboration” that did not exist in previous administrations. Biden himself convened a high-profile cyber summit with CEOs and academic leaders in August.

But it remains to be seen what improvements will result from meetings such as the one in Palo Alto on Monday. The DHS official said the Biden administration will judge the success of its bridge-building get-togethers by how smoothly government and private-sector analysts are able to work together when new cyber threats emerge.

The relationship between government and industry hasn’t always been friendly. After leaving the post of deputy DHS secretary at the end of the Obama administration, Mayorkas told POLITICO that a “residue of distrust,” prompted by disputes over encryption and surveillance, was hampering these partnerships.

Reflecting on those comments on Monday after the Silicon Valley event concluded, Mayorkas said things had changed dramatically since then.

“That trust deficit is behind us,” he said. “Everyone is looking forward to the collaboration.”

Continue

About the author

Lisa

Leave a Comment