Three Ways Biden Must Ensure Our Cybersecurity During His First 100 Days in Office
As President Biden assumes office, he inherits a cybersecurity situation involving constant and damaging attack and an atrophied, if not intentionally crippled, response. So much of what Biden’s administration hopes to do in all areas of government depends on his ability to defend the US against cybercrime and cyberwarfare. The following are three areas that the administration should focus on during Biden’s first 100 days in office.
#1. Plug policy holes and strengthen weak infrastructure.
The Capitol Breach has made clear many gaps exist in the US government’s cyber policy and infrastructure and the true extent of the risk is becoming even clearer as we learn more about the attack, the attackers, and what support they might have had.
For example, as the attack initially happened, it was reported that a laptop was stolen from House speaker Nancy Pelosi’s office. This laptop was originally downplayed as not being Pelosi’s personal device, but rather a shared device in the office’s meeting room, used only for PowerPoint presentations. Though the person that had stolen the laptop has been identified, arrested, and charged, the whereabouts of the laptop are still unknown, and Pelosi’s aides continue to downplay the risk, again citing it was used for presentations only. Riley June Williams, the person charged with stealing the laptop was reported by an associate as having plans to give the computer to a Russian friend, who would then get it to Russian intelligence. Nearly all the risk inherent to this theft is the result of policy either unwritten or unenforced.
In addition to fixing the overall cybersecurity culture in the US government, real investments in infrastructure must be made. It would seem that President Biden is already moving in this direction, as he plans to allot $10 Billion dollars to cybersecurity and IT efforts in his COVID-19 relief bill. Beyond the infrastructure, equipment, and hardware, the new administration is also asking for $200 million to hire hundreds of new cybersecurity experts and engineers.
#2. Prioritize effective strategy at CISA.
It is obvious there is increasing bipartisan support for empowering the new Cybersecurity and Infrastructure Security Agency (CISA) signed into law in late 2018. Further empowerment of CISA began even before Biden took office earlier this month, as the NATIONAL DEFENSE AUTHORIZATION ACT passed in December expanded CISA’s powers and funding. There have already been public benefits to the increased role of this agency, as it released a tool, dubbed “Sparrow”, designed to disrupt the SolarWinds attack that is still affecting both governmental and private organizations globally.
President Biden already appears to be universally adopting a strategy of surrounding himself with experts and listening to them, and in the area of cyberdefense this bodes well for moving critically time-sensitive leadership initiatives forward. Biden is expected to fill the United States’ top cyber leadership positions with seasoned Obama-era cyberdefense leaders, including Department of Homeland Security (DHS) veteran Eric Goldstein. Goldstein began his service during Biden’s transition, so his efforts at CISA will have momentum as he enters the position, especially after his time at CISA’s predecessor, the National Protection and Programs Directorate at the DHS.
A unified front with our nation’s other cyber operations agencies will further leverage efforts, but this diplomacy must also extend to our foreign relations. While domestic sources of cybersecurity risk are numerous, the bulk of damaging attacks are global affairs, involving international criminal gangs, nation states, and intelligence agencies, often in concert.
#3. Make real progress in the area of cyber diplomacy.
Before the Capitol Breach highlighted all the issues it did, the incoming Biden administration was already being saddled with the still unknown security fallout related to the SolarWinds breach, which has been confirmed to be the work of a group sponsored by the Russian state.
The US has been engaged in cyberwarfare for as long as it has been a viable means of inflicting damage on nation states and institutions. You could call it a two-front war, as we are primarily engaged with Russia and China on separate fronts, but this fails to acknowledge smaller players and even the actions of allies.
The SolarWinds hack is just the latest in a long line of notable actions over the last 20 years. The Moonlight Maze attack can be highlighted as the opening salvo, but it has since been consistent and constant attack on US military systems, government websites, White House and Pentagon email, the DNC, and even the systems of our allies, perpetrated by groups such as Turla, FancyBear, CozyBear, and other groups traced back to the Russian state.
Of course, the United States engages in our own cyberwarfare, against enemies and allies. To think we’ve withstood attack for 20 years without response is to disregard the overwhelming likelihood that the US has engaged in covert action. One example of action that can be attributed to the US, but only unofficially, is the creation of the Stuxnet bot malware, designed to physically sabotage nuclear enrichment capabilities of Iran.
Over the course of the development of cyberwarfare, the US would seem to be the world’s primary target, and could be expected to be leading the fight to end or mitigate such attacks, it has actually been the US that objects, often being the sole country to do so, while the rest of the world engages in cyber diplomacy. UN resolutions to consider cybersecurity and cyberwarfare are voted down by the United States.
“The U.S. position reached a point of embarrassment in 2008, when Russia’s resolution was adopted by both the UN’s First Committee and the General Assembly — over the sole objection of the United States.“ — Judy Westby, Forbes Magazine
There has been some diplomacy in cyberspace, but even this has fallen to political realities, as two opposing entities, a U.S.-proposed GGE and a Russian-proposed Open-Ended Working Group, emerged, with neither having enough sway to effect change. Reliance on the norms that exist now is disingenuous, as we know that states like Russia and China, as well as the United States, will ignore and abandon them whenever it suits their purposes, and especially if it’s possible to disavow involvement. To protect the United States and to reassert US leadership in this area, President Biden must make strong diplomatic moves and work with other countries, especially our cyber foes, to establish a global initiative to create peace online.
Private organizations can help by joining the movement and getting involved in things like the Cybersecurity Tech Accord. Leading by example, the private sector can lobby public office to invest in cybersecurity. The strength of our national cybersecurity impacts us all, down to the end user, and vice versa. During a time in which so much of our daily and civic lives happens online, the safety of our network is more important than ever.
