On Wednesday, Aug. 25, President Biden met with CEOs of some of the nation's largest companies in various industries to discuss cybersecurity and key calls to action. These companies included Apple, Google, and JPMorgan Chase. Biden said in his remarks before the summit, "The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can't meet this challenge alone. You have the power, capacity, and responsibility, I believe, to raise the bar on cybersecurity. Ultimately, we've got a lot of work to do".
I find the summit's topic and those in attendance to be interesting. How can we talk about securing our critical infrastructure but have no critical infrastructure representation at the summit? That seems odd to me. I've spent the last 26 years of my life in industrial control systems, mainly in the heavy processing industries. In all those years, I don't remember seeing any Apple products used in any control systems or actually controlling any critical infrastructure. So Apple, with little to no footprint in the space, is going to be the company that solves our industrial control system cybersecurity problem? Maybe, but it needs help, and that help wasn't represented in the summit.
The thought process could be that the people dealing with the problems today will not be the people getting you out of them. If that is what's going on, I can understand getting outside viewpoints and perspective, but that doesn't mean excluding the people who are dealing with the problems day in and day out. These are the people who understand the infrastructure and the potential pitfalls, the people who understand the differences between IT and OT, the people whose livelihoods depend on these systems running and who are ultimately accountable for these systems. To have zero representation at the summit seems like a missed opportunity.
Responsibility and Obligation
Consumers of services provided by critical infrastructure such as the power grid aren't going to hold Google accountable for rolling blackouts. They will look at their service providers. Those are the companies that will be responsible and accountable to the consumers and the shareholders. If I'm being honest, I'm also struggling with the wording Biden chose to use, specifically the word "responsibility" and assigning that to the companies in the summit. Maybe duty is what Biden was referring to more than responsibility. If that's true, I think we should all feel some level of obligation to protect our critical infrastructure. We all benefit from the services they provide; we should all feel some level of duty to protect them.
I don't mean this as criticism of President Biden being active in protecting our critical infrastructure. Just the opposite, in fact. I think the current administration has been very active as it relates to protecting the nation's critical infrastructure. I just look at this summit as a partial success, which could have been improved by including owner/operators of critical infrastructure.
If I were to describe the most ideal situation, we would combine the forces of the US government, the nation's largest companies (including Apple, Google, and JPMorgan Chase), owner/operators of critical infrastructure, and the existing practitioners of OT cybersecurity companies. Personally, I think it will take a diversified consortium of experts like these to truly protect our critical infrastructure. To borrow from President Biden, "the federal government can't meet this challenge alone." I agree with that, but the people who will solve this problem are a more diverse group than the audience who attended the summit.