The Washington PostDemocracy Dies in Darkness

Biden tells top CEOs at White House summit to step up on cybersecurity

‘You have the power, capacity and responsibility, I believe, to raise the bar,’ president tells chiefs of Apple, Google, JPMorgan Chase, others

From left, chief executives Tim Cook of Apple, Arvind Krishna of IBM and Sundar Pichai of Google at White House on Aug. 26. (Drew Angerer/Getty Images)

President Biden called on the leaders of companies including Apple, Google and JPMorgan Chase to do more to respond to cybersecurity threats during a summit Wednesday at the White House.

“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said in his remarks before the summit. “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do.”

These challenges are compounded, Biden added, by the shortage of cybersecurity professionals. The White House estimates that roughly half a million cybersecurity jobs remain open, amid an onslaught of cyberattacks.

While an unusually public and ambitious gathering, the meeting was part of a broader Biden administration effort to prioritize cyberattacks as a national security and economic threat. The administration announced that it would work with industry to develop new guidelines to help companies and government agencies build secure technology and assess the security of existing technology. Microsoft and Google, as well as insurance providers Travelers and Coalition, committed to participate in this initiative, according to a White House news release.

Individual executives addressed a wide range of pressing cybersecurity issues. Biden called on Microsoft chief executive Satya Nadella to discuss the steps that the tech industry could take to address cybersecurity, while JPMorgan Chase CEO Jamie Dimon spoke about problems affecting financial services, including ransomware attacks, according to Hadi Partovi, the CEO of the education nonprofit, who attended the meeting.

“We are in a cyberwar,” Partovi said. “Nobody’s declared war, but attacks are happening everyday. I felt optimistic that the set of folks who came together have a commitment to work together, whether it’s with government or their competitors.”

The anatomy of a ransomware attack

Apple CEO Tim Cook, IBM CEO Arvind Krishna and Sundar Pichai, CEO of Google and parent company Alphabet, sat to Biden’s right as he addressed the executives, who were seated around a square table in the White House East Room. Amazon CEO Andy Jassy and chief executives from major banks and insurance, energy and water companies were in attendance, according to a list provided by the White House. Representatives from nonprofit organizations focused on computer science education, including Girls Who Code, and several colleges were summoned to discuss efforts to bolster the cybersecurity workforce. (Amazon founder Jeff Bezos owns The Washington Post.)

“We’ve seen time and again how the technologies we rely on from our cellphones to pipelines to the electric grid can become targets of hackers and criminals,” the president said.

Yet amid growing threats, Wednesday’s summit was largely a signal from the president to the private sector that he cares about cybersecurity issues, said Emily Harding, a senior fellow at the Center for Strategic and International Studies. It also signifies the recent onslaught of hacks will probably be addressed in the future with legislation and executive orders, she said. “Summits like this are messaging opportunities more than policymaking opportunities,” she said. “I would expect the big movements on things like this to come later.”

Attendees said the meeting was just the beginning of the executives’ work with one another and the government on addressing the cybersecurity threat. Christopher Padilla, IBM’s vice president of government and regulatory affairs, said that his breakout group discussed a range of topics, including how the industry and government can better share information about cyberthreats. The group committed to identify a course of action and reconvene in a month.

The meeting convened executives who compete fiercely in business, but Padilla said that there were no outward signs of tensions. There was a recognition, he said, that they were working toward a collective goal.

“Even though there’s a lot of competition, it was a very collaborative discussion,” Padilla said.

Joshua Motta, CEO of Coalition, said the group also discussed the role insurers can play in incentivizing companies to improve particular standards or improve cybersecurity. “It will take time,” he said. “I think we all recognize there’s not a silver bullet to this issue.”

By hosting a high-profile gathering with a who’s who of the country’s most powerful corporate leaders, the White House is demonstrating that cyberattacks are an “existential issue,” said Ari Schwartz, a White House cybersecurity official in the Obama administration.

Schwartz noted that it was significant that the administration included multiple cybersecurity insurance companies in the discussions, adding that insurance companies could force better behavior throughout the industry. One of the providers that participated in the meeting, Resilience, announced it will require policyholders to adopt certain cybersecurity best practices as a condition of receiving cyber insurance.

“You’re going to end up with insurers telling companies what they can do to prevent the next attack,” he said.

Many executives in attendance at Wednesday’s meeting have been at the helm of companies during major security breaches. JPMorgan Chase suffered one of the largest breaches in 2014, when it revealed that more than 76 million households and 7 million small businesses were affected by an attack of its computer systems. Tech giants, including Apple and Microsoft, are routinely targeted by hackers. And a Washington Post investigation recently found that iPhones — built by Apple, which has marketed its devices on claims that it offers better security than rivals — were vulnerable to spyware produced by Israel’s NSO Group.

Notably, the White House guest list did not include recent victims of high-profile hacks, including Colonial Pipeline or T-Mobile, which suffered a data breach earlier this month that exposed the personal information of more than 40 million people. “We spent quite a bit of time with our partners in the Federal Government over the course of our response and welcome others having a similar opportunity today,” said Colonial spokesman Kevin Feeney.

Companies seized on the spotlight to unveil commitments to improve cybersecurity, within their own products and beyond. Microsoft announced it would increase its spending on integrating cybersecurity in its products, investing $20 billion over the next five years into such initiatives, up from a $1 billion-a-year commitment. It also will devote $150 million in technical services to help federal, state and local governments upgrade their cybersecurity protections, the company said.

Google announced a similar $10 billion commitment over the next five years to strengthen the cybersecurity of its products and supply chain. Apple said it would start a new program to ensure the security of its supply chain, by requiring its more than 9,000 U.S. suppliers to adopt practices such as security training.

Many of the corporate initiatives focus on the shortage of cybersecurity professionals. IBM promised to train 150,000 people in cybersecurity skills and work with historically Black colleges and universities to establish centers focused on cybersecurity. Google committed to train 100,000 Americans in fields including information-technology support and data analytics. Amazon said it would make the cybersecurity training it developed for its own employees publicly available and offer some of its cloud service customers a free multi-factor authentication device. Financial services company TIAA announced a partnership with New York University that will enable its employees to obtain free cyber master’s degrees. said it would train more than 3 million students in cybersecurity concepts in the next three years.

The White House touted the meeting as just one step it is taking in response to a rise in hacks and ransomware attacks that has challenged Biden since his inauguration. The president issued an executive order to improve the cybersecurity of the federal government’s networks in the wake of the SolarWinds hack. targeting government agencies and private companies. And he also issued a national security memorandum that called on government officials to develop cybersecurity performance goals for critical infrastructure. During his opening remarks at Wednesday’s event, Biden said he discussed hackers’ recent cyberattacks with Russian President Vladimir Putin earlier this year, saying he “made it clear to him that we expected him to hold them accountable as well.”

“They know where they are and who they are,” Biden said.

The threat of regulation could be a driving force behind companies’ willingness to partner with the administration on key initiatives. Lawmakers are increasingly weighing mandates for companies after years of increasingly sophisticated cyberattacks.

When asked about whether Biden would support legislation that would mandate companies to report cybersecurity incidents, White House press secretary Jen Psaki gave no firm answer but said the White House would review any proposals that Congress advances.

“Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices, and the private sector to take steps to harden their own cybersecurity,” she said Wednesday.

Sean Sullivan and Rachel Lerman contributed to this report.