Biden-Harris Administration announces new actions and private commitments to bolster the nation’s cyber defense at schools and protect American families
Administration leaders, school administrators, educators, and education technology providers will convene at the White House to discuss how to strengthen the nation’s schools’ cybersecurity amidst growing ransomware attacks
The United States has experienced an increase in cyberattacks that have targeted the nation’s schools in recent years. In the 2022-23 academic year alone, at least eight K-12 school districts throughout the country were impacted by significant cyberattacks – four of which left schools having to cancel classes or close completely. Not only have these attacks disrupted school operations, but they also have impacted students, their families, teachers, and administrators. Sensitive personal information – including, student grades, medical records, documented home issues, behavioral information, and financial information – of students and employees were stolen and publicly disclosed. Additionally, sensitive information about school security systems was leaked online as a result of these attacks.
Secretary of Education Miguel Cardona and Secretary of Homeland Security Alejandro Mayorkas, joined First Lady Jill Biden, to convene school administrators, educators and private sector companies to discuss best practices and new resources available to strengthen our schools’ cybersecurity, protect American families and schools, and prevent cyberattacks from disrupting our classrooms.
The U.S. Department of Education will establish a Government Coordinating Council (GCC) that will coordinate activities, policy, and communications between, and amongst, federal, state, local, tribal, and territorial education leaders to strengthen the cyber defenses and resilience of K-12 schools. By facilitating formal, ongoing collaboration between all levels of government and the education sector, the GCC will be a key first step in the Department’s strategy to protect schools and districts from cybersecurity threats and for supporting districts in preparing for, responding to, and recovering from cybersecurity attacks.
CISA is committing to providing tailored assessments, facilitating exercises, and delivering cybersecurity training for 300 new K-12 entities over the coming school year. CISA plans to conduct 12 K-12 cyber exercises this year, averaging one per month, and is currently soliciting exercise requests from government and critical infrastructure partners, including the K-12 community.
The Federal Bureau of Investigation (FBI) and the National Guard Bureau are releasing updated resource guides to ensure state government and education officials know how to report cybersecurity incidents and can leverage the federal government’s cyber defense capabilities.
Additionally, several education technology providers are committing to providing free and low-cost resources to school districts, including:
Amazon Web Services (AWS) is committing the following: $20 million for a K-12 cyber grant program available to all school districts and state departments of education; free security training offerings tailored to K-12 IT staff delivered through AWS Skill Builder; and no-cost cyber incident response assistance through its Customer Incident Response Team in the event a school district experiences a cyberattack. AWS will also provide free well-architected security reviews to U.S. education technology companies providing mission-critical applications to the K-12 community.
Cloudflare, through its Project Cybersafe Schools, will offer a suite of free Zero Trust cybersecurity solutions to public school districts under 2,500 students, to give small school districts faster, safer Internet browsing and email security.
PowerSchool, a provider of cloud-based K-12 software in the United States for 80% of school districts, will provide new free and subsidized “security as a service” courses, training, tools and resources to all U.S. schools and districts.
Google released an updated “K-12 Cybersecurity Guidebook” for schools on the most effective and impactful steps education systems can take to ensure the security of their Google hardware and software applications.
D2L, a learning platform company, is committing to: providing access to new cybersecurity courses in collaboration with trusted third-parties; extending its information security review for the core D2L integration partners; and pursuing additional third-party validation of D2L compliance with security standards.
The commitments made today will help ensure the nation’s schools are in the best position to secure their networks to keep their students, educators, and employees safe. This is the latest example of President Biden’s commitment to ease the everyday concerns facing Americans – from strengthening confidence in the safety of the devices brought into homes and classrooms to securing the cyber infrastructure of our nation’s schools.
Several leading AI companies – Anthropic, Google, Microsoft, and OpenAI – to partner with DARPA in major competition to make software more secure
The Biden-Harris Administration has launched a major two-year competition that will use artificial intelligence (AI) to protect the United States’ most important software, such as code that helps run the internet and our critical infrastructure. The “AI Cyber Challenge” (AIxCC) will challenge competitors across the United States, to identify and fix software vulnerabilities using AI. Led by the Defense Advanced Research Projects Agency (DARPA), this competition will include collaboration with several top AI companies – Anthropic, Google, Microsoft, and OpenAI – who are lending their expertise and making their cutting-edge technology available for this challenge. This competition, which will feature almost $20 million in prizes, will drive the creation of new technologies to rapidly improve the security of computer code, one of cybersecurity’s most pressing challenges. It marks the latest step by the Biden-Harris Administration to ensure the responsible advancement of emerging technologies and protect Americans.
The Biden-Harris Administration announced AIxCC at the Black Hat USA Conference in Las Vegas, Nevada, the nation’s largest hacking conference, which for decades has produced many cybersecurity innovations. By finding and fixing vulnerabilities in an automated and scalable way, AIxCC fits into this tradition. It will demonstrate the potential benefits of AI to help secure software used across the internet and throughout society, from the electric grids that power America to the transportation systems that drive daily life.
DARPA will host an open competition in which the competitor that best secures vital software will win millions of dollars in prizes. AI companies will make their cutting-edge technology—some of the most powerful AI systems in the world—available for competitors to use in designing new cybersecurity solutions. To ensure broad participation and a level playing field for AIxCC, DARPA will also make available $7 million to small businesses who want to compete.
Teams will participate in a qualifying event in Spring 2024, where the top scoring teams (up to 20) will be invited to participate in the semifinal competition at DEF CON 2024, one of the world’s top cybersecurity conferences. Of these, the top scoring teams (up to five) will receive monetary prizes and continue to the final phase of the competition, to be held at DEF CON 2025. The top three scoring competitors in the final competition will receive additional monetary prizes.
The top competitors will make a meaningful difference in cybersecurity for America and the world. The Open Source Security Foundation (OpenSSF), a project of the Linux Foundation, will serve as a challenge advisor. It will also help ensure that the winning software code is put to use right away protecting America’s most vital software and keeping the American people safe.
Today’s announcement is part of a broader commitment by the Biden-Harris Administration to ensure that the power of AI is harnessed to address the nation’s great challenges, and that AI is developed safely and responsibly to protect Americans from harm and discrimination. Last month, the Biden-Harris Administration announced it had secured voluntary commitments from seven leading AI companies to manage the risks posed by the technology. Earlier this year, the Administration announced a commitment from several AI companies to participate in an independent, public evaluation of large language models (LLMs)—consistent with responsible disclosure principles—at DEF CON 2023. This exercise, which starts later this week and is the first-ever public assessment of multiple LLMs, will help advance safer, more secure and more transparent AI development.
In addition, the Biden-Harris Administration is currently developing an executive order and will pursue bipartisan legislation to help America lead the way in responsible AI innovation.
While Donald Trump runs to take back the presidency in order to save himself from prison and continue to enrich himself off the office ($1.6 billion 2017-2021), President Joe Biden continues to actually get things done for the American people, and all fronts: growing the economy, adding jobs, increasing wages and income, increasing financial security, and protecting the country from enemies foreign and domestic, including the threats from cyberattacks and unregulated Artificial Intelligence. But the noise and tumult over Trump’s unprecedented criminal prosecutions and the Republicans who are enabling him, are drowning out any notice of what Biden is accomplishing. Here is a fact sheet on the Biden-Harris administration’s National Cybersecurity Strategy Implementation Plan—Karen Rubin/news-photos-features.com
President Biden has made clear that all Americans deserve the full benefits and potential of our digital future. The Biden-Harris Administration’s recently released National Cybersecurity Strategy calls for two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace:
Ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk
Increasing incentives to favor long-term investments into cybersecurity
The Administration is announcing a roadmap to realize this bold, affirmative vision. It is taking the novel step of publishing the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and a continued path for coordination. This plan details more than 65 high-impact Federal initiatives, from protecting American jobs by combatting cybercrimes to building a skilled cyber workforce equipped to excel in our increasingly digital economy. The NCSIP, along with the Bipartisan Infrastructure Law, CHIPS and Science Act, Inflation Reduction Act, and other major Administration initiatives, will protect our investments in rebuilding America’s infrastructure, developing our clean energy sector, and re-shoring America’s technology and manufacturing base.
Eighteen agencies are leading initiatives in this whole-of-government plan demonstrating the Administration’s deep commitment to a more resilient, equitable, and defensible cyberspace. The Office of the National Cyber Director (ONCD) will coordinate activities under the plan, including an annual report to the President and Congress on the status of implementation, and partner with the Office of Management and Budget (OMB) to ensure funding proposals in the President’s Budget Request are aligned with NCSIP initiatives. The Administration looks forward to implementing this plan in continued collaboration with the private sector, civil society, international partners, Congress, and state, local, Tribal, and territorial governments. As an example of the Administration’s commitment to public-private collaboration, ONCD is also working on a request for information regarding cybersecurity regulatory harmonization that will be published in the near future. The
NCSIP is not intended to capture all Federal agency activities in support of the NCS. The following are sample initiatives from the plan, which is organized by the NCS pillars and strategic objectives.
Pillar One | Defending Critical Infrastructure
Update the National Cyber Incident Response Plan (1.4.1): During a cyber incident, it is critical that the government acts in a coordinated manner and that private sector and SLTT partners know how to get help. The Cybersecurity and Infrastructure Security Agency (CISA) will lead a process to update the National Cyber Incident Response Plan to more fully realize the policy that “a call to one is a call to all.” The update will also include clear guidance to external partners on the roles and capabilities of Federal agencies in incident response and recovery.
Pillar Two | Disrupting and Dismantling Threat Actors
Combat Ransomware (2.5.2 and 2.5.4): Through the Joint Ransomware Task Force, which is co-chaired by CISA and the FBI, the Administration will continue its campaign to combat the scourge of ransomware and other cybercrime. The FBI will work with Federal, international, and private sector partners to carry out disruption operations against the ransomware ecosystem, including virtual asset providers that enable laundering of ransomware proceeds and web fora offering initial access credentials or other material support for ransomware activities. A complementary initiative, led by CISA, will include offering resources such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets of ransomware, like hospitals and schools, to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked.
Pillar Three | Shaping Market Forces and Driving Security and Resilience
Software Bill of Materials (3.3.2): Increasing software transparency allows market actors to better understand their supply chain risk and to hold their vendors accountable for secure development practices. CISA continues to lead work with key stakeholders to identify and reduce gaps in software bill of materials (SBOM) scale and implementation. CISA will also explore requirements for a globally-accessible database for end of life/end of support software and convene an international staff-level working group on SBOM.
Pillar Four | Investing in a Resilient Future
Drive Key Cybersecurity Standards (4.1.3, 4.3.3): Technical standards are foundational to the Internet, and U.S. leadership in this area is essential to the vibrancy and security of cyberspace. Consistent with the National Standards Strategy, the National Institute of Standards and Technology (NIST) will convene the Interagency International Cybersecurity Standardization Working Group to coordinate major issues in international cybersecurity standardization and enhance U.S. federal agency participation in the process. NIST will also finish standardization of one or more quantum-resistant publickey cryptographic algorithms.
Pillar Five | Forging International Partnerships to Pursue Shared Goals
International Cyberspace and Digital Policy Strategy (5.1.1 and 5.1.2): Cyberspace is inherently global, and policy solutions must reflect close collaboration with our partners and allies. The Department of State will publish an International Cyberspace and Digital Policy Strategy that incorporates bilateral and multilateral activities. State will also work to catalyze the development of staff knowledge and skills related to cyberspace and digital policy that can be used to establish and strengthen country and regional interagency cyber teams to facilitate coordination with partner nations.
Voluntary commitments – underscoring safety, security, and trust – mark a critical step toward developing responsible AI
Biden-Harris Administration will continue to take decisive action by developing an Executive Order and pursuing bipartisan legislation to keep Americans safe
Since taking office, President Biden, Vice President Harris, and the entire Biden-Harris Administration have moved with urgency to seize the tremendous promise and manage the risks posed by Artificial Intelligence (AI) and to protect Americans’ rights and safety. As part of this commitment, President Biden is convening seven leading AI companies at the White House today – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – to announce that the Biden-Harris Administration has secured voluntary commitments from these companies to help move toward safe, secure, and transparent development of AI technology.
Companies that are developing these emerging technologies have a responsibility to ensure their products are safe. To make the most of AI’s potential, the Biden-Harris Administration is encouraging this industry to uphold the highest standards to ensure that innovation doesn’t come at the expense of Americans’ rights and safety.
These commitments, which the companies have chosen to undertake immediately, underscore three principles that must be fundamental to the future of AI – safety, security, and trust – and mark a critical step toward developing responsible AI. As the pace of innovation continues to accelerate, the Biden-Harris Administration will continue to remind these companies of their responsibilities and take decisive action to keep Americans safe.
There is much more work underway. The Biden-Harris Administration is currently developing an executive order and will pursue bipartisan legislation to help America lead the way in responsible innovation.
In remarks announcing the commitments, President Biden said, “We’ll see more technology change in the next 10 years, or even in the next few years, than we’ve seen in the last 50 years. That has been an astounding revelation to me, quite frankly. Artificial intelligence is going to transform the lives of people around the world.
“The group here will be critical in shepherding that innovation with responsibility and safety by design to earn the trust of Americans. And, quite frankly, as I met with world leaders, all the G7 is focusing on the same thing.
“Social media has shown us the harm that powerful technology can do without the right safeguards in place.
“And I’ve said at the State of the Union that Congress needs to pass bipartisan legislation to impose strict limits on personal data collection, ban targeted advertisements to kids, require companies to put health and safety first.
“But we must be clear-eyed and vigilant about the threats emerging — of emerging technologies that can pose — don’t have to, but can pose — to our democracy and our values.
“Americans are seeing how advanced artificial intelligence and the pace of innovation have the power to disrupt jobs and industries.
“These commitments — these commitments are a promising step, but the — we have a lot more work to do together.
“Realizing the promise of AI by managing the risk is going to require some new laws, regulations, and oversight.”
These seven leading AI companies are committing to:
Ensuring Products are Safe Before Introducing Them to the Public
The companies commit to internal and external security testing of their AI systems before their release. This testing, which will be carried out in part by independent experts, guards against some of the most significant sources of AI risks, such as biosecurity and cybersecurity, as well as its broader societal effects.
The companies commit to sharing information across the industry and with governments, civil society, and academia on managing AI risks. This includes best practices for safety, information on attempts to circumvent safeguards, and technical collaboration.
Building Systems that Put Security First
The companies commit to investing in cybersecurity and insider threat safeguards to protect proprietary and unreleased model weights. These model weights are the most essential part of an AI system, and the companies agree that it is vital that the model weights be released only when intended and when security risks are considered.
The companies commit to facilitating third-party discovery and reporting of vulnerabilities in their AI systems. Some issues may persist even after an AI system is released and a robust reporting mechanism enables them to be found and fixed quickly.
Earning the Public’s Trust
The companies commit to developing robust technical mechanisms to ensure that users know when content is AI generated, such as a watermarking system. This action enables creativity with AI to flourish but reduces the dangers of fraud and deception.
The companies commit to publicly reporting their AI systems’ capabilities, limitations, and areas of appropriate and inappropriate use. This report will cover both security risks and societal risks, such as the effects on fairness and bias.
The companies commit to prioritizing research on the societal risks that AI systems can pose, including on avoiding harmful bias and discrimination, and protecting privacy. The track record of AI shows the insidiousness and prevalence of these dangers, and the companies commit to rolling out AI that mitigates them.
The companies commit to develop and deploy advanced AI systems to help address society’s greatest challenges. From cancer prevention to mitigating climate change to so much in between, AI—if properly managed—can contribute enormously to the prosperity, equality, and security of all.
As we advance this agenda at home, the Administration will work with allies and partners to establish a strong international framework to govern the development and use of AI. It has already consulted on the voluntary commitments with Australia, Brazil, Canada, Chile, France, Germany, India, Israel, Italy, Japan, Kenya, Mexico, the Netherlands, New Zealand, Nigeria, the Philippines, Singapore, South Korea, the UAE, and the UK. The United States seeks to ensure that these commitments support and complement Japan’s leadership of the G-7 Hiroshima Process—as a critical forum for developing shared principles for the governance of AI—as well as the United Kingdom’s leadership in hosting a Summit on AI Safety, and India’s leadership as Chair of the Global Partnership on AI.
This announcement is part of a broader commitment by the Biden-Harris Administration to ensure AI is developed safely and responsibly, and to protect Americans from harm and discrimination.
Last month, President Biden met with top experts and researchers in San Francisco as part of his commitment to seizing the opportunities and managing the risks posed by AI, building on the President’s ongoing engagement with leading AI experts.
In May, the President and Vice President convened the CEOs of four American companies at the forefront of AI innovation—Google, Anthropic, Microsoft, and OpenAI—to underscore their responsibility and emphasize the importance of driving responsible, trustworthy, and ethical innovation with safeguards that mitigate risks and potential harms to individuals and our society. At the companies’ request, the White House hosted a subsequent meeting focused on cybersecurity threats and best practices.
President Biden signed an Executive Order that directs federal agencies to root out bias in the design and use of new technologies, including AI, and to protect the public from algorithmic discrimination.
Earlier this year, the National Science Foundation announced a $140 million investment to establish seven new National AI Research Institutes, bringing the total to 25 institutions across the country.
The Office of Management and Budget will soon release draft policy guidance for federal agencies to ensure the development, procurement, and use of AI systems is centered around safeguarding the American people’s rights and safety.
With so much concern raised about the explosive increase in use of artificial intelligence, the Biden-Harris Administration announced new actions that will further promote responsible American innovation in artificial intelligence (AI) and protect people’s rights and safety. These steps build on the Administration’s strong record of leadership to ensure technology improves the lives of the American people, and break new ground in the federal government’s ongoing effort to advance a cohesive and comprehensive approach to AI-related risks and opportunities.
AI is one of the most powerful technologies of our time, but in order to seize the opportunities it presents, we must first mitigate its risks. President Biden has been clear that when it comes to AI, we must place people and communities at the center by supporting responsible innovation that serves the public good, while protecting our society, security, and economy. Importantly, this means that companies have a fundamental responsibility to make sure their products are safe before they are deployed or made public.
Vice President Harris and senior Administration officials met on May 4 with CEOs of four American companies at the forefront of AI innovation—Alphabet, Anthropic, Microsoft, and OpenAI—to underscore this responsibility and emphasize the importance of driving responsible, trustworthy, and ethical innovation with safeguards that mitigate risks and potential harms to individuals and our society. The meeting is part of a broader, ongoing effort to engage with advocates, companies, researchers, civil rights organizations, not-for-profit organizations, communities, international partners, and others on critical AI issues.
The Administration has also taken important actions to protect Americans in the AI age. In February, President Biden signed an Executive Order that directs federal agencies to root out bias in their design and use of new technologies, including AI, and to protect the public from algorithmic discrimination. Last week, the Federal Trade Commission, Consumer Financial Protection Bureau, Equal Employment Opportunity Commission, and Department of Justice’s Civil Rights Division issued a joint statement underscoring their collective commitment to leverage their existing legal authorities to protect the American people from AI-related harms.
The Administration is also actively working to address the national security concerns raised by AI, especially in critical areas like cybersecurity, biosecurity, and safety. This includes enlisting the support of government cybersecurity experts from across the national security community to ensure leading AI companies have access to best practices, including protection of AI models and networks.
The administration’s announcements include:
New investments to power responsible American AI research and development (R&D). The National Science Foundation is announcing $140 million in funding to launch seven new National AI Research Institutes. This investment will bring the total number of Institutes to 25 across the country, and extend the network of organizations involved into nearly every state. These Institutes catalyze collaborative efforts across institutions of higher education, federal agencies, industry, and others to pursue transformative AI advances that are ethical, trustworthy, responsible, and serve the public good. In addition to promoting responsible innovation, these Institutes bolster America’s AI R&D infrastructure and support the development of a diverse AI workforce. The new Institutes announced today will advance AI R&D to drive breakthroughs in critical areas, including climate, agriculture, energy, public health, education, and cybersecurity.
Public assessments of existing generative AI systems. The Administration is announcing an independent commitment from leading AI developers, including Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI, and Stability AI, to participate in a public evaluation of AI systems, consistent with responsible disclosure principles—on an evaluation platform developed by Scale AI—at the AI Village at DEFCON 31. This will allow these models to be evaluated thoroughly by thousands of community partners and AI experts to explore how the models align with the principles and practices outlined in the Biden-Harris Administration’s Blueprint for an AI Bill of Rights and AI Risk Management Framework. This independent exercise will provide critical information to researchers and the public about the impacts of these models, and will enable AI companies and developers take steps to fix issues found in those models. Testing of AI models independent of government or the companies that have developed them is an important component in their effective evaluation.
Policies to ensure the U.S. government is leading by example on mitigating AI risks and harnessing AI opportunities. The Office of Management and Budget (OMB) is announcing that it will be releasing draft policy guidance on the use of AI systems by the U.S. government for public comment. This guidance will establish specific policies for federal departments and agencies to follow in order to ensure their development, procurement, and use of AI systems centers on safeguarding the American people’s rights and safety. It will also empower agencies to responsibly leverage AI to advance their missions and strengthen their ability to equitably serve Americans—and serve as a model for state and local governments, businesses and others to follow in their own procurement and use of AI. OMB will release this draft guidance for public comment this summer, so that it will benefit from input from advocates, civil society, industry, and other stakeholders before it is finalized.
FACT SHEET: Biden-Harris Administration Announces National Standards Strategy for Critical and Emerging Technology
Standards are the guidelines used to ensure the technology Americans routinely rely on is universally safe and interoperable. This Strategy will renew the United States’ rules-based approach to standards development. It also will emphasize the Federal Government’s support for international standards for critical and emerging technologies (CETs), which will help accelerate standards efforts led by the private sector to facilitate global markets, contribute to interoperability, and promote U.S. competitiveness and innovation.
The Strategy focuses on four key objectives that will prioritize CET standards development:
Investment: Technological contributions that flow from research and development are the driving force behind new standards. The Strategy will bolster investment in pre-standardization research to promote innovation, cutting-edge science, and translational research to drive U.S. leadership in international standards development. The Administration is also calling on the private sector, universities, and research institutions to make long-term investments in standards development.
Participation: Private sector and academic innovation fuels effective standards development, which is why it’s imperative that the United States to work closely with industry and the research community to remain ahead of the curve. The U.S. Government will engage with a broad range of private sector, academic, and other key stakeholders, including foreign partners, to address gaps and bolster U.S. participation in CET standards development activities.
Workforce: The number of standards organizations has grown rapidly over the past decade, particularly with respect to CETs, but the U.S. standards workforce has not kept pace. The U.S. Government will invest in educating and training stakeholders — including academia, industry, small- and medium-sized companies, and members of civil society — to more effectively contribute to technical standards development.
Integrity and Inclusivity: It is essential for the United States to ensure the standards development process is technically sound, independent, and responsive to broadly shared market and societal needs. The U.S. Government will harness the support of like-minded allies and partners around the world to promote the integrity of the international standards system to ensure that international standards are established on the basis of technical merit through fair processes that will promote broad participation from countries across the world and build inclusive growth for all.
Putting the Strategy into Practice
The U.S. private sector leads standards activities globally, through standard development organizations (SDOs), to respond to market demand, with substantial contributions from the U.S. Government, academia, and civil society groups. The American National Standards Institute (ANSI) coordinates the U.S. private sector standards activities, while the National Institute of Standards and Technology (NIST) coordinates Federal Government engagement in standards activities. Industry associations, consortia, and other private sector groups work together within this system to develop standards to solve specific challenges. To date, this approach has fostered an effective and innovative standards system that has supercharged economic growth and worked for people of all nations.
The CHIPS and Science Act of 2022 (Pub. L. 117–167) provided $52.7 billion for American semiconductor research, development, manufacturing, and workforce development. The legislation also codifies NIST’s role in leading information exchange and coordination among Federal agencies and communication from the Federal Government to the U.S. private sector. This engagement, coupled with the CHIPS and Science Act’s investments in pre-standardization research, will drive U.S. influence and leadership in international standards development. NIST provides a portal with resources and standards information to government, academia, and the public; updates on the U.S. Government’s implementation efforts for the Strategy will also be posted to that portal.
The United States Government has already made significant commitments to leading and coordinating international efforts outlined in the Strategy. The United States has joined like-minded partners in the International Standards Cooperation Network, which serves as a mechanism to connect government stakeholders with international counterparts for inter-governmental cooperation. Additionally, the U.S.-EU Trade and Technology Council launched a Strategic Standardization Information mechanism to enable transatlantic information sharing.
Many U.S. Government agencies have already demonstrated their commitment to the Strategy through their actions and partnerships. Examples include:
The National Science Foundation has updated its proposal and award policies and procedures to incentivize participation in standards development activities.
The Department of State, NIST, the Department of Commerce, the Federal Communications Commission (FCC), the National Security Agency (NSA), the Office of the U.S. Trade Representative, USAID and other agencies engage in multilateral fora, such as the International Telecommunication Union, the Quad, the U.S.-EU Trade and Technology Council, the G7, and the Asia-Pacific Economic Cooperation, to share information on standards and CETs.
The National Telecommunications and Information Administration (NTIA) administers the Public Wireless Supply Chain Innovation Fund, a $1.5 billion grant program funded by the CHIPS and Science Act of 2022 that aims to catalyze the research, development, and adoption of open, interoperable, and standards-based networks.
The Department of Defense engages with ANSI and the private sector in collaborative standards activities such as Global Supply Chain Security for Microelectronics and the Additive Manufacturing Standards Roadmap, as well as with the Alliance for Telecommunications Industry Solutions and the 3rd Generation Partnership Project (3GPP).
The United States Agency for International Development and ANSI work together through a public-private partnership to support the capacity of developing countries in areas of standards development, conformity assessment, and private sector engagement.
The Environmental Protection Agency SmartWay program works closely with the International Organization for Standardization (ISO) to standardize greenhouse gas accounting for freight and passenger transportation, providing a global framework for credible, accurate calculation and evaluation of transportation-related climate pollutants.
NTIA, NIST, and the FCC coordinate U.S. Government participation in 3GPP and work with the Alliance for Telecommunications Industry Solutions to ensure participation by international standards delegates at North American-hosted 3GPP meetings.
The FCC’s newly established Office of International Affairs is managing efforts across the FCC to ensure expert participation in international standards activities, such as 3GPP and the Internet Engineering Task Force, in order to promote U.S. leadership in 5G and other next-generation technologies.
The Department of Transportation supports development of voluntary consensus technical standards via multiple cooperative efforts with U.S.-domiciled and international SDOs.
The U.S. Department of Energy (DOE), though partnerships with the private sector and the contributions of technical experts at DOE and its 17 National Laboratories, contributes to standards efforts in multiple areas ranging from hydrogen and energy storage to biotechnology and high-performance computing.
The Department of the Treasury’s Office of Financial Research leads and contributes to financial data standards development work for digital identity, digital assets, and distributed ledger technology in ISO and ANSI.
The White House released this fact sheet on how the Biden-Harris Administration is strengthening cybersecurity – particularly important with the rise of cyberwarfare mounted by Russia, China, North Korea and others.
The Biden-Harris Administration has brought a relentless focus to improving the United States’ cyber defenses, building a comprehensive approach to “lock our digital doors” and take aggressive action to strengthen and safeguard our nation’s cybersecurity, including:
Improving the cybersecurity of our critical infrastructure. Much of our Nation’s critical infrastructure is owned and operated by the private sector. The Administration has worked closely with key sectors – including transportation, banking, water, and healthcare – to help stakeholders understand cyber threats to critical systems and adopt minimum cybersecurity standards. This includes the introduction of multiple performance-based directives by the Transportation Security Administration (TSA) to increase cybersecurity resilience for the pipeline and rail sectors, as well as a measure on cyber requirements for the aviation sector. Through the President’s National Security Memorandum 8 on Improving Cybersecurity for Critical Infrastructure Control Systems, we are issuing cybersecurity performance goals that will provide a baseline to drive investment toward the most important security outcomes. We will continue to work with critical infrastructure owners and operators, sector by sector, to accelerate rapid cybersecurity and resilience improvements and proactive measures.
Ensuring new infrastructure is smart and secure. President Biden’s Bipartisan Infrastructure Law is an investment to modernize and strengthen our Nation’s infrastructure. The Administration is ensuring that these projects, such as expanding the Nation’s network of electric-vehicle charging stations, are built to endure, meeting modern standards of safety and security, which includes cyber protections. Investments in digital security through the Bipartisan Infrastructure Law (BIL) will also bring high-speed internet to underserved parts of the country, bridging the digital divide as well. Also the BIL, the Administration launched a first-of-its-kind cybersecurity grant program specifically for state, local, and territorial (SLT) governments across the country. The State and Local Cybersecurity Grant Program will provide $1 billion in funding to SLT partners over four years, with $185 million available for fiscal year 2022, to support SLT efforts to address cyber risk to their information systems and critical infrastructure.
Strengthening the Federal Government’s cybersecurity requirements, and raising the bar through the purchasing power of government. Through the President’s Executive Order on Improving the Nation’s Cybersecurity, issued in May 2021, President Biden raised the bar for all Federal Government systems by requiring impactful cybersecurity steps, such as multifactor authentication. The Administration also issued a strategy for Federal zero trust architecture implementation, as well as budget guidance to ensure that Federal agencies align resources to our cybersecurity goals. We are also harnessing the purchasing power of the Federal Government to improve the cybersecurity of products for the first time, by requiring security features in all software purchased by the Federal Government, which improves security for all Americans.
Countering ransomware attacks to protect Americans online. In 2021, the Administration established the International Counter-Ransomware Initiative (CRI), bringing together partners from around the globe to address the scourge of ransomware. The White House will host international partners October 31-November 1 to accelerate and broaden this joint work. This group has raised collective resilience, engaged the private sector, and disrupted criminal actors and their infrastructure. The United States has made it harder for criminals to move illicit money, sanction a series of cryptocurrency mixers used regularly by ransomware actors to collect and “clean” their illicit earnings. A number of cyber criminals have also been successfully extradited to the United States to face justice for these crimes.
Working with allies and partners to deliver a more secure cyberspace. In addition to launching the International Counter Ransomware Initiative, the Administration has established cyber dialogues with a breadth of allies and partners to build collective cybersecurity, formulate coordinated response, and develop cyber deterrence. We are taking this work to our most vital alliances – for example, establishing a new virtual rapid response mechanism at NATO to ensure Allies can effectively and efficiently offer each other support in response to cyber incidents.
Imposing costs on and strengthening our security against malicious actors. The Biden-Harris Administration has not hesitated to respond forcefully to malicious cyber actors when their actions threaten American or our partner’s interests. In April of 2021, we sanctioned Russian cyber actors affiliated with the Russian intelligence services in response to the SolarWinds attack. We worked with allies and partners to attribute a destructive hack of the Viasat system at the beginning of Russia’s war in Ukraine.
Implementing internationally accepted cyber norms. The Administration is committed to ensuring internationally negotiated norms are implemented to establish cyber “rules of the road.” More recently, we worked with international partners to call out Iran’s counter-normative attack on Albanian government systems and impose costs on Tehran for this act.
Developing a new label to help Americans know their devices are secure. This month, we will bring together companies, associations and government partners to discuss the development of a label for Internet of Things (IoT) devices so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities. By developing and rolling out a common label for products that meet by U.S. Government standards and are tested by vetted and approved entities, we will help American consumers easily identify secure tech to bring into their homes. We are starting with some of the most common, and often most at-risk, technologies — routers and home cameras — to deliver the most impact, most quickly.
Building the Nation’s cyber workforce and strengthening cyber education. The White House hosted a National Cyber Workforce and Education Summit, bringing together leaders from government and from across the cyber community. At the Summit, the Administration announced a 120-Day Cybersecurity Apprenticeship Sprint to help provide skills-based pathways into cyber jobs. With momentum from the Summit, the Administration continues to work with partners throughout society on building our Nation’s cyber workforce, improving skills-based pathways to good-paying cyber jobs, educating Americans so that they have the skills to thrive in our increasingly digital society, and improving diversity, equity, inclusion, and accessibility (DEIA) in the cyber field.
Protecting the future – from online commerce to national secrets —by developing quantum-resistant encryption. We all rely on encryption to help protect our data from compromise or theft by malicious actors. Advancements in quantum computing threaten that encryption, so this summer the National Institute of Standards and Technology (NIST) announced four new encryption algorithms that will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years. These algorithms are the first group of encryption tools that are designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day, such as online banking and email software.
Developing our technological edge through the National Quantum Initiative and issuance of National Security Memorandum-10 (NSM-10) on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. This initiative has more than doubled the United States Government’s research and development (R&D) investment in quantum technology, creating new research centers and workforce development programs across the country. NSM-10 prioritizes U.S. leadership in quantum technologies by advancing R&D efforts, forging critical partnerships, expanding the workforce, and investing in critical infrastructure; will move the Nation to quantum-resistant cryptography; and protects our investments, companies, and intellectual property as this technology develops so that the United States and our allies can benefit from this new field’s advances without being harmed by those who would use it against us.
The Biden Administration, from its first days, has been warning – and acting – on cybersecurity, when previous administrations just sat back as ransomware and cyberattacks became epidemic and more lethal – threatening water supplies, power grids, even nuclear plants. But the issue of cybersecurity has become elevated and unavoidable because of Russia’s reaction to sanctions for its invasion and war crimes against Ukraine, warranting President Biden and the White House to issue new warnings and mount pre-emptive defenses. (New York Governor Kathy Hochul already has set up infrastructure to protect New York and cooperate with federal government.)
“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience,” President Biden declared. “ I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.
“From day one, my Administration has worked to strengthen our national cyber defenses, mandating extensive cybersecurity measures for the Federal Government and those critical infrastructure sectors where we have authority to do so, and creating innovative public-private partnerships and initiatives to enhance cybersecurity across all our critical infrastructure. Congress has partnered with us on these efforts — we appreciate that Members of Congress worked across the aisle to require companies to report cyber incidents to the United States Government.
“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. But the Federal Government can’t defend against this threat alone. Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has been actively working with organizations across critical infrastructure to rapidly share information and mitigation guidance to help protect their systems and networks
“If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow.”
FACT SHEET: Act Now to Protect Against Potential Cyberattacks
The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed. There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.
The Administration has prioritized strengthening cybersecurity defenses to prepare our Nation for threats since day one. President Biden’s Executive Order is modernizing the Federal Government defenses and improving the security of widely-used technology. The President has launched public-private action plans to shore up the cybersecurity of the electricity, pipeline, and water sectors and has directed Departments and Agencies to use all existing government authorities to mandate new cybersecurity and network defense measures. Internationally, the Administration brought together more than 30 allies and partners to cooperate to detect and disrupt ransomware threats, rallied G7 countries to hold accountable nations who harbor ransomware criminals, and taken steps with partners and allies to publicly attribute malicious activity.
We accelerated our work in November of last year as Russian President Vladimir Putin escalated his aggression ahead of his further invasion of Ukraine with extensive briefings and advisories to U.S. businesses regarding potential threats and cybersecurity protections. The U.S. Government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign and we will do everything in our power to defend the Nation and respond to cyberattacks. But the reality is that much of the Nation’s critical infrastructure is owned and operated by the private sector and the private sector must act to protect the critical services on which all Americans rely.
We urge companies to execute the following steps with urgency:
Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
Back up your data and ensure you have offline backups beyond the reach of malicious actors;
Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
Encrypt your data so it cannot be used if it is stolen;
Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
We also must focus on bolstering America’s cybersecurity over the long term. We encourage technology and software companies to:
Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.
Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed. We encourage you to follow those practices more broadly.
The New York JSOC Will Serve as a First-of-its-Kind Hub for Data Sharing and Cyber Coordination Across New York State, New York City, the Five Major Upstate Cities, Local and Regional Governments, Critical Infrastructure and Federal Partners
Announcement Builds on Governor Hochul’s Unprecedented $61.9 Million Investment in the State’s Cybersecurity Infrastructure as Part of FY23 Budget
Governor Proposes Historic New $30 Million Program for Localities to Help Bolster Cyber Defenses Statewide
As reports have come in about cyberattacks to cripple Ukraine, New York State Governor Kathy Hochul announced the creation of a Joint Security Operations Center in Brooklyn that will serve as the nerve center for joint local, state and federal cyber efforts, including data collection, response efforts and information sharing. A partnership launched with New York City Mayor Eric Adams, Albany Mayor Kathy Sheehan, Syracuse Mayor Ben Walsh, Buffalo Mayor Byron Brown, Rochester Mayor Malik Evans, Yonkers Mayor Mike Spano, and cyber leaders across the state, the JSOC is the nation’s first-of-its-kind cyber command center that will provide a statewide view of the cyber-threat landscape and improve coordination on threat intelligence and incident response.
“There is a new type of emerging risk that threatens our daily lives, and just as we improved our physical security infrastructure in the aftermath of 9/11, we must now transform how we approach cybersecurity with that same rigor and seriousness,” Governor Hochul said. “I’m proud to announce this dynamic and innovative partnership to establish the Joint Security Operations Center in collaboration with New York City, our upstate cities, and government and business leaders across the state. Cybersecurity has been a priority for my administration since Day 1, and this command center will strengthen our ability to protect New York’s institutions, infrastructure, our citizens and public safety.”
This innovative collaboration has been months in the making and is the result of Governor Hochul and her team’s early vision and commitment to enhancing the State’s cybersecurity posture. No other state has brought together cybersecurity teams in a shared command space at this scale including federal, state, city, and county governments, critical businesses and utilities, and state entities like Division of Homeland Security and Emergency Services, Office of Information Technology Services, New York State Police, MTA, Port Authority of New York and New Jersey, the New York Power Authority, among others.
New York’s leadership in finance, energy, transportation, healthcare, and other critical fields makes the State an attractive target for cyberattacks that can disrupt operations, including critical infrastructure and services to citizens. While government entities across the State have historically taken an independent approach to cyber defense and protecting the safety of their technology assets, acting alone is no longer optimal. As the frequency and sophistication of cyberattacks have grown, so too has the need for a “whole of government” approach.
The JSOC, headquartered in Brooklyn and staffed by both physical and virtual participants from across the state, will improve defenses by allowing cyber teams to have a centralized viewpoint of threat data. This will yield better collaboration on threat intelligence, reduction in response time, and quicker remediation in the event of a major cyber incident. It will help participating entities respond to potential issues and elevate systemic trends that may have otherwise gone undetected. This approach leverages all the cyber defense assets at the state, city, local and authority-level under one umbrella.
New York State will collaborate with city and regional leaders on cyber trainings and exercises as the JSOC becomes operational over the coming months. The Governor and her team will continue ongoing conversations with the White House and federal partners to ensure coordination.
This builds on Governor Hochul’s historic proposal in this year’s budget for investment in New York State’s cyber protections, which includes $61.9 million for cybersecurity, doubling the previous investment. These investments will fund critical protections, including the expansion of the state’s cyber Red Team program to provide additional penetration testing, an expanded phishing exercise program, vulnerability scanning and additional cyber incident response services. These investments help ensure that if one part of the network is attacked, the State can isolate and protect the rest of the system.
As part of this proposal, the Governor is also proposing a $30 million “shared services” program to help local governments and other regional partners acquire and deploy high quality cybersecurity services to bolster their cyber defenses. The interconnected nature of the state’s networks and IT programs means that attacks can quickly spread across the state. Many government entities often do not have the funding or resources necessary to protect their systems, some which provide critical services like healthcare, law enforcement, emergency management, water treatment, and unemployment insurance, to name a few.
In remarks announcing the new cybersecurity effort, Governor Hochul said, “Given the increasingly volatile geopolitical circumstances with Russia and Ukraine. And we just heard from President Biden moments ago on the advancing troops from Russia, we can no longer act independently. And that has been the case where the state of New York has its plan. City of New York has a plan. Our mayors, our local governments throughout the state of New York. And that is not sustainable in light of the threats that we’re seeing. And we can’t expect cities and counties to go it alone. They don’t have the resources, they don’t have the technological know-how and we’re rethinking our entire approach to cybersecurity really based on the model that was put together after 9/11, when we had a fight and talk about how we can bring people together for our physical security. And that was the genesis of the joint terrorism task force…
We realized that we’re only as strong as our weakest link and the synergy between even our local governments, our cities, and our counties, they’re connected to our state operations. So an attack on them could lead to a larger attack and disruption of service from the state as well. So again, breaking down the silos, the data sharing that has not gone on and bringing it together under one place, and we can strengthen our defenses exponentially.
“And we all know that cyber criminals are relentless. They are motivated, whether they’re state actors, whether they’re rogue individuals, they’re trying to disrupt our operations. Their intent is truly malicious, and that’s why we want to take serious steps here today.
“They’re trying to disrupt our systems and sometimes even extort us for money. And we’ve seen that with hospitals and schools and universities in our own state. And in fact that right now, even costs us $5 to $10 billion a year annually. And just in the last year, 2020 to 21, we’ve had actually 85 serious attacks. And this is even before we’re dealing with the geopolitical situation that I referenced earlier.
“So we know cyber-attacks will continue to happen. And in the long term, this joint security operation, which we call JSOC, you always have to have an acronym if you’re talking about anything in law enforcement, JSOC, this’ll be the tip of the spear for our cybersecurity operations in the state.
“So we know cyber-attacks will continue to happen. And in the long term, this joint security operation, which we call JSOC, you always have to have an acronym if you’re talking about anything in law enforcement, JSOC, this’ll be the tip of the spear for our cybersecurity operations in the state.
“And here we are at 11 MetroTech. And again, this will allow us to have a statewide view and operation sharing. They’ll be doing tabletop exercises. They’ll be working closely together. And I have to tell you, this is absolutely unprecedented. I anticipate that this will be a model for other states. Other areas should be dealing with the same sense of urgency that we [bring] to this. But we know New York state, New York City, we are always going to be in the line of sight for the terrorists and those who want to disrupt our way of life. And knowing that we are the epicenter of financial institutions, and our operations are large infrastructure, and our transportation systems, the MTA, the Port Authority. So that is why we were working so closely with them. And I want to thank Mayor Adams and Chief Technology Officer, Matt Fraser for their partnership.
“We just had a tour of the facility. It is state-of-the-art. This, again, is an incredible model of what collaboration and partner looks like as well. As I mentioned, Albany Mayor Sheehan and, Mayor Spano, who’ve traveled here together today. So this is what collaboration looks like. Physically here, but also we have to put money behind this. And I realized as Governor, and I started asking questions about what we’ve done, where our investments have been, they have been lacking. And I’m proud that my administration is proposing a historic $62 million investment in cybersecurity. More than double what has been spent in previous years and making sure that we have the resource.”
Local governments will get $30 million to buy, at a subsidized price, the technological know-how they need to defend themselves.
Hochul said the state would also be increasing the number of cybersecurity professionals in the state’s workforce, with a plan to hire 70 immediately. “We’re going to be aggressive about identifying cybersecurity individuals who are early in their careers through our Excelsior Fellows program. Also mid-year technologists who have specialties in this, offering them 18 months deployments to become embedded with these operations right here, an incredible experience for them and we’ll take from their experience as well.”
SUNY and CUNY systems are also primed to be training the next generation of professionals. The College Of Emergency Preparedness and Homeland Security at the University of Albany is the first of its kind in the nation. “We need to replicate this. So we have cybersecurity degrees all over the State of New York. These are our ways that we’re going to be attracting more people getting more talent here and using, the very best and the brightest that we can to address this threat.”
Hochul added, “This is also an individual challenge. And I’m afraid that many of members of the public become desensitized when they say, well, ‘You need to make sure that you have a strong passwords and multifactor authentication,’ which people not even quite sure what that means. You need to protect yourself and change your passwords. Be prepared. Act as if you know that attack is coming, because if it comes and you’re not ready, it can be devastating. Your access to your money, your ability to make purchases. You do not want to be there at a place where you would say to yourself, ‘I wish I had taken steps.’
“This is the warning. This is the warning in light of what’s happening globally. This is what is happening, throughout a normal course of our years, as we’ve seen with these attacks, we’ve experienced over the last decade. And so, now is the time for New Yorkers to be prepared. And those of us with older parents or grandparents, tell them not to open up an email if they do not know, it’s not pictures from their grandchildren, don’t open it up. Because there really is a lot of phishing going on, a lot of opportunities for people to really take your personal information and use it in nefarious ways. And so we want to make sure that our older loved ones hear this warning, understand what they need to do, or not do, in a circumstance that we’re describing here as well.
“So, I’ll close by saying the threat of cyber-attacks is very real. Particularly now, that is the warning we’re receiving out of Washington, particularly for a place like New York, and therefore our state and our cities will be taking a leading role in fortifying our defenses in the battlefield against cyber warfare.
“And we will be as relentless in our defense as the criminals are in their aggression. Mark my words, we will thwart them at every step of the way. And this is proof of what we’re doing here today. Again,first in the nation. And I do hope that other states and other governors will follow the lead of what we’re doing here today.”
New York City Mayor Eric Adams said,”New York City is a prime target for those who want to attack our cyber infrastructure to cause destruction. While New York City Cyber Command is already a national model for impeding these threats, it’s time our cybersecurity moved to the next level. We know that when it comes to cyberattacks, the difference between a minor disruption and a catastrophe can be a matter of minutes. That is why the new Joint Security Operations Center will take an integrated and holistic approach to hardening our cyber defenses across the state. I thank Governor Hochul and our fellow mayors for their partnership, and look forward to working with them to confront this common threat.”
Cybersecurity and Infrastructure Security Agency Director Jen Easterly said, “In today’s globally interconnected world, everyone plays a role in protecting Americans against the threat of cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) applauds the creation of the NY JSOC and, as always, stands ready to partner with our state and local counterparts in keeping New York’s critical infrastructure safe and secure. Proactive cybersecurity incident response and recovery planning will help mitigate risk and ensure a unified response when an incident happens. Collaboration is at the heart of CISA’s mission, and we look forward to supporting this effort as it becomes operational.”
Division of Homeland Security and Emergency Services Commissioner Jackie Bray said, “Thanks to Governor Hochul’s leadership and vision, we are bringing an integrated, statewide approach to cybersecurity with our government partners. The JSOC will become the nerve center for collecting intelligence on potential threats, keeping an eye out for intruders and breaches, and responding to cybersecurity threats and incidents.”
New York State Office of Information Technology Services Chief Information Officer Angelo “Tony” Riddick said,”Governor Hochul’s commitment to safeguard our state’s infrastructure and the personal information of all New Yorkers has been a priority since her first day in office. The new normal of constant cyber risks threaten every level of government, so we must take innovative steps and work together. Creation of a JSOC will better protect our information and ensure we remain even more vigilant against cybercrime while keeping New Yorkers safe.”
New York State Police Superintendent Kevin Bruen said,”Collaboration and information sharing are crucially important when it comes to providing security and assessing threats. We appreciate the efforts by Governor Hochul to form this innovative partnership, which will help strengthen cybersecurity efforts and improve response to future incidents.”
Port Authority Executive Director Rick Cotton said, “The safety and security of the Port Authority’s transportation facilities remain the highest priority of the Port Authority – including a relentless focus on cybersecurity. We applaud Governor Hochul, Mayor Adams and leaders from across the state for creating the JSOC that will enhance the ability of government agencies to identify, resource and implement best practices TO combat cyber threats as they continue to evolve.”
Interim President and CEO of New York Power Authority Justin E. Driscoll said,”As the nation’s largest public state utility, cybersecurity is of utmost importance to NYPA. We are thankful to our city and state partners for their collaboration in creating the JSOC. This center will help NYPA keep our systems safe and enable us to continue to generate clean electricity and maintain one-third of the state’s transmission system without incident or interruption, all while providing a whole-of-state approach to protecting New York State from emerging threats.”
MTA Chair and CEO Janno Lieber said, “Cross-agency collaboration is key to providing the best cyber defenses. We are eager to share information and expertise about the MTA’s multilayered cybersecurity systems as we work to protect the state against potential threats.”
Albany Mayor Kathy Sheehan said, “Every day, the City of Albany – like organizations across the nation – defends itself against cyber attacks originating from across the globe. As the victim of a successful ransomeware attack in 2019, the City of Albany knows full well the impact this cybersecurity threat can have on the systems that serve our residents and protect our infrastructure. Thankfully, New York State was there for us when it mattered most, and now we will proactively partner within the Joint Security Operations Center to help identify and respond to cybersecurity threats not only to our city, but other local and state agencies across New York. Thank you to Governor Hochul, Commissioner Bray, and Chief Information Officer Riddick for making this investment and deepening the vital partnerships that will help protect our entire state.”
Buffalo Mayor Byron Brown said, “Cyber attacks are an emerging threat that state and local governments must take swift action to protect against, and I am thankful Governor Hochul has the vision to apply a statewide, all-hands-on-deck approach to ensure our safety. I am pleased that Buffalo is part of the launch of this first-of-its-kind Joint Security Operations Center that will position us to be better prepared to prevent, protect against, respond to and recover from cyberattacks.”
Rochester Mayor Malik Evans said, “We look forward to working with the state and our other municipal partners to address the critical issue of cybersecurity. We appreciate the Governor’s investment to protect our data. Any attacks on our technical infrastructure systems is actually an attack on the citizens we serve, so bolstering our defenses is a wholly worthwhile endeavor.”
Syracuse Mayor Ben Walsh said,”Cybersecurity is a challenge facing every public and private sector organization every day. Cities are dealing with very similar vulnerabilities, threats and risks. Through the JSOC we will be better able to share intelligence and solutions and better protect our critical assets and the people we serve. I thank Governor Hochul for not just providing resources to our communities but for creating a command center so the state can share more data, information and expertise to confront this always-changing risk. We are always stronger working together.”
Yonkers Mayor Mike Spano said,”The recent wave of cyber security attacks serves as a wake-up call for cities across our country. I thank Governor Hochul for her proactive approach in giving Mayors, who are the generals on the frontlines, a seat at the table to work one on one with some of the most brilliant cyber defense minds in the country as we amplify our cyber security.”
Back in August, President Biden met with private sector and education leaders to discuss the whole-of-nation effort needed to address cybersecurity threats. Recent high-profile cybersecurity incidents demonstrate that both U.S. public and private sector entities increasingly face sophisticated malicious cyber activity. Cybersecurity threats and incidents affect businesses of all sizes, small towns and cities in every corner of the country, and the pocketbooks of middle-class families. Compounding the challenge, nearly half a million public and private cybersecurity jobs remain unfilled. The White House provided a fact sheet outlining steps the Biden Administration is taking to address cybersecurity:
Cybersecurity is a national security and economic security imperative for the Biden Administration and we are prioritizing and elevating cybersecurity like never before. On May 12, 2021, President Biden issued an Executive Order that modernizes Federal Government defenses and improves the security of technology. To secure our critical infrastructure, this spring the Biden Administration launched a 100-day initiative to improve cybersecurity across the electric sector with others to follow. On July 28, the President issued a National Security Memorandum establishing voluntary cybersecurity goals that clearly outline our expectations for owners and operators of critical infrastructure. The Administration has also engaged with the private sector on the importance of prioritizing cybersecurity as a central part of their efforts to maintain business continuity. And internationally, the Biden Administration has rallied G7 countries to hold accountable nations who harbor ransomware criminals and to update NATO cyber policy for the first time in seven years.
The purpose of the meeting was to discuss opportunities to bolster the nation’s cybersecurity in partnership and individually. Several participants announced commitments and initiatives including:
The Biden Administration announced that the National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain. The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software. Microsoft, Google, Travelers, and Coalition committed to participating in this NIST-led initiative.
The Biden Administration also announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to a second major sector: natural gas pipelines. The Initiative has already improved the cybersecurity of more than 150 electric utilities that serve 90 million Americans.
Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers — including more than 9,000 in the United States— to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
Google announced it will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security. Google also announced it will help 100,000 Americans earn industry-recognized digital skills certificates that provide the knowledge that can lead to secure high-paying, high-growth jobs.
IBM announced it will train 150,000 people in cybersecurity skills over the next three years, and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.
Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions.Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
Amazon announced it will make available to the public at no charge the security awareness training it offers its employees. Amazon also announced it will make available to all Amazon Web Services account holders at no additional cost, a multi-factor authentication device to protect against cybersecurity threats like phishing and password theft.
Resilience, a cyber insurance provider, announced it will require policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.
Coalition, a cyber insurance provider, announced it will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization.
Code.org announced it will teach cybersecurity concepts to over 3 million students across 35,000 classrooms over 3 years, to teach a diverse population of students how to stay safe online, and to build interest in cybersecurity as a potential career.
Girls Who Code announced it will establish a micro credentialing program for historically excluded groups in technology. The program will make scholarships and early career opportunities more accessible to underrepresented groups.
University of Texas System announced it will expand existing and develop new short-term credentials in cyber-related fields to strengthen America’s cybersecurity workforce. A major part of this effort will be to upskill and reskill over 1 million workers across the nation by making available entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute. Credentials do not depend on traditional degree pathways, and should also contribute significantly to diversifying the pipeline.
Whatcom Community College announced it has been designated the new NSF Advanced Technological Education National Cybersecurity Center, and will provide cybersecurity education and training to faculty and support program development for colleges to “fast-track” students from college to career. The nature of community colleges dispersed in every community in the nation makes them an ideal pipeline for increasing diversity and inclusion in the cybersecurity workforce.
Today, just days after Colonial Pipeline, which supplies 45 percent of the gasoline to the Eastern Seaboard, was hit by a ransomware attack which the FBI believes was perpetrated by DarkSide, a relatively new criminal group based in Eastern Europe exposed the vulnerability of key U.S. infrastructure, President Biden signed an Executive Order to improve the nation’s cybersecurity and protect federal government networks.
The White House supplied this fact sheet about the actions taken under the Executive Order:
Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.
This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses. However, the Colonial Pipeline incident is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.
Specifically, the Executive Order the President is signing today will:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information. IT providers are often hesitant or unable to voluntarily share information about a compromise. Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches. Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of Federal procurement to incentivize the market. Finally, it creates a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.
Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.
Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack. Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
Improve Detection of Cybersecurity Incidents on Federal Government Networks. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential.
Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.