Cyber security experts weigh in on what we’ve learned about President Biden’s cyber security strategy in his first 100 days in office.
President Joe Biden declared in mid-December, more than a month before he took office, that cyber security would be a “top priority” of his administration.
It should be. The digital world, as we are all now reminded daily, has a direct impact on the real world, for better and worse. It provides conveniences and powers that were the stuff of sci-fi dreams only a generation ago, but it also generates threats to privacy, physical safety, and personal, corporate, and national security.
And 100 days into his first term, which marks the end of the so-called honeymoon period for a new president, Biden has made a start on assembling a team, responding to at least some foreign attacks, and building a strategy.
But as any elected official knows, making promises is the easy part. Delivering on them can get difficult and complicated. That is especially true when it comes to this issue. If the president succeeds in moving the cyber security needle in a substantive way, he’ll be the first.
Not that his predecessors didn’t try. Biden inherits a pile of executive orders and initiatives from every U.S. president since Bill Clinton, starting with Clinton’s National Plan for Information Systems Protection in 2000, labeled “the first-ever national strategy for protecting the nation’s computer networks from deliberate attacks.”
The most recent, under the Trump administration, were December 2018’s proposed “Cybersecurity Moonshot” and then March 2020’s 182-page report from the U.S. Cyberspace Solarium Commission proposing more than 80 recommendations to implement a strategy of “layered cyber deterrence.”
“What we’re trying to do here is a 9/11 Commission report without 9/11,” Senator Angus King, I-Maine, one of the commission’s two cochairs, told Wired magazine at the time. “We’re trying to solve a problem before it turns into a catastrophe.”
Still, after two decades during which the internet has become as embedded in modern life as the automobile and television, no cyber security expert would describe it as safe and secure, multiple well-intentioned policy initiatives notwithstanding.
Indeed, the challenge for Biden is evident in the cyber security failures at the federal level:
All of which left the president with multiple fires to put out, or at least confront, in the early days of his administration. A couple of weeks ago he issued an executive order announcing sanctions against Russia for the SolarWinds attack and for allegedly seeking to interfere in the 2020 election. They included the expulsion of 10 Russian diplomats.
Russia promptly announced the expulsion of 10 U.S. diplomats, added 8 U.S. officials to its sanctions list and said it will restrict the activities of U.S. nongovernmental organizations operating in Russia. So far, there have been no announcements of sanctions against China.
And the response to all this from the cyber security community? So far, it’s mixed. Dmitri Alperovitch, cofounder and former CTO of CrowdStrike and now chair of Silverado Policy Accelerator, called Biden’s appointments the “cyber equivalent of the dream team.”
But regarding funding for cyber security, critics say it is not nearly enough.
While the $650 million earmarked for CISA in the infrastructure bill is more than welcome, Andy Keiser, a former House Intelligence Committee staffer with close ties to CISA, told Politico that the agency is “overworked, understaffed, and in one sense fighting half-blindfolded.”
Regarding the sanctions on Russia, which immediately responded in kind, it looked more like symbolism on both sides than real punishment for penetrating the U.S. government and stealing an unknown amount of data.
As has been said for years, it’s likely that the U.S. is using cyber attacks to spy on its enemies just as aggressively.
And when it comes to cyber strategy, experts say Biden doesn’t need to start from scratch, given that he is awash in templates from previous administrations.
AJ Nash, director of cyber intelligence strategy at Anomali, said in a post on Security Week that the best of the lot is the Solarium Commission report, which is only about a year old and offers “bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyber space.”
Among that report’s recommendations are to update the national cyber strategy and put it under the leadership of “a single executive owner.”
So once appointments, funding, and strategy are in place it will come down to how well the administration can execute on a plan. And at least some experts say it should focus on the basics more than the grandiose.
Michael Fabian, principal consultant at Synopsys, said last year in connection with the Cybersecurity Moonshot proposal that “information security across the board needs to do fewer transformational things and more fundamental things.”
Regarding the Biden initiatives, he said the only way for more rigorous standards to be effective will be for them to have adequate funding and accountability provisions. If a company compromises the personal and financial information of millions of customers due to lax cyber security, angry rhetoric will not be enough. It will take real pain for high-end executives and shareholders for others to get the message, he said.
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, said there does need to be a transformation, at least of focus, from the obsolete “better firewall” model to one that addresses the focus of attackers “on weaknesses in applications and the people and processes operating those applications.” That, he said would mean addressing the weakest link in the security chain, which likely would be at the local or state government level.
If attackers “view targeting state-run systems or even those of local government as being most disruptive, then it doesn’t really matter how well-protected an equivalent federal server might be,” he said.
That means federal money would be better spent on “community problems rather than relying on limited local budgets to defend against nation-state scale attacks,” Mackey said. “Such investments come in many forms such as the $1 billion in the American Rescue Plan for the Technology Modernization Fund; services offered to state, local, and tribal governments through CISA; increased disclosures and transparency following cyber incidents, such as those proposed in an executive order; or modernization efforts for critical digital infrastructure such as outlined in President Biden’s proposed infrastructure initiatives.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.