The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

The White House said today that it’s working on a global initiative to combat what an official described as a transnational threat from ransomware attackers. It also plans to hold vendors that do business with the government to more stringent security guidelines.

“Criminals use ransomware to target everything from individuals, utilities, hospitals, and large companies,” said Deputy National Security Advisor Anne Neuberger speaking on a webcast at the RSA Conference 2021. “Extortion through ransomware presents a national security threat for countries around the world because it can disrupt schools and hospitals and governments and companies’ abilities to deliver services. And because of the huge financial cost, it's concerning that ransomware often exploits known weaknesses.”

Neuberger, who did not release details about the Administration’s efforts, said the U.S. was committed to playing “a more active role on cyber internationally.” President Biden signed an executive order (EO) on May 12 to modernize U.S. defenses against cyber-attacks. The executive order was billed as “the first of many ambitious steps” the White House plans to modernize national cyber defenses.

“International cooperation to address ransomware is critically important because transnational criminals are most often the perpetrators of these crimes,” Neuberger said, expressing alarm about the growing sophistication of what she described as ransomware cartels. “And they often leverage global infrastructure and money laundering networks to do it.”

Neuberger also reinforced a message sounded by the Biden Administration that the U.S. needs to improve its cyber defenses. She published statistics estimating that the average company incurs a cost of $13 million per breach while globally, cyber crime cost 1% of total GDP in 2018.

“As a community we've accepted that we'll move from one incident response to the next and while we must acknowledge breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate. The national security implications of doing so are too grave,” she said. “Simply put, cyber security is not only a national security imperative, but an economic security imperative as well.”

She also said the U.S. government needed to face the “hard truth” that it’s also fallen short when it comes to cyber security. In the aftermath of the recent SolarWinds supply chain breach, Neuberger said the Administration was confronted by fact that basic cyber security prevention measures had not been systemically rolled out across federal agencies, mentioning the absence of MFA encryption, constant logging and endpoint detection as examples.

In the near term, Neuberger urged the technology industry to change its thinking about how best to approach computer security. “We have to shift our mindset from incident response to prevention and prioritize our investments to get ahead of threats and facilitate early detection,” according to Neuberger.

“The current model of build, sell, maybe patch, means the products the federal government buys often include defects and vulnerabilities,” she said. “That's not acceptable. It's knowingly introducing unknown – and potentially grave – risks that adversaries and criminals then exploit.

“Security has to be a basic design consideration,” she continued. “We'd never buy a car rushed to market knowing it could have potentially fatal defects that the manufacturer may or may not choose to issue a recall and fix. You wouldn't buy that car and decide later whether you want to install seat belts or airbags. But that's analogous to how today's software development model works.”

On the government side, she said the White House planned to begin taking “aggressive steps” to ensure that the software the government buys is built more securely from the start by potentially requiring federal vendors to develop software in a secure development environment.

“Our efforts will pay dividends outside of the federal government, because much of the software, the government buys is the same software that schools, small businesses, big businesses, and individuals buy,” she said. “The starting point for building more securely is where you build your software, which should be separate and a secure build environment. This includes things like using strong authentication, limiting privileges, and of course, encryption. It also includes knowing the provenance of the code you include in your bills and using modern tools to check for known and potential vulnerabilities.”