Cyber security experts weigh in on what we’ve learned about President Biden’s cyber security strategy in his first 100 days in office.
President Joe Biden declared in mid-December, more than a month before he took office, that cyber security would be a “top priority” of his administration.
It should be. The digital world, as we are all now reminded daily, has a direct impact on the real world, for better and worse. It provides conveniences and powers that were the stuff of sci-fi dreams only a generation ago, but it also generates threats to privacy, physical safety, and personal, corporate, and national security.
And 100 days into his first term, which marks the end of the so-called honeymoon period for a new president, Biden has made a start on assembling a team, responding to at least some foreign attacks, and building a strategy.
But as any elected official knows, making promises is the easy part. Delivering on them can get difficult and complicated. That is especially true when it comes to this issue. If the president succeeds in moving the cyber security needle in a substantive way, he’ll be the first.
Not that his predecessors didn’t try. Biden inherits a pile of executive orders and initiatives from every U.S. president since Bill Clinton, starting with Clinton’s National Plan for Information Systems Protection in 2000, labeled “the first-ever national strategy for protecting the nation’s computer networks from deliberate attacks.”
The most recent, under the Trump administration, were December 2018’s proposed “Cybersecurity Moonshot” and then March 2020’s 182-page report from the U.S. Cyberspace Solarium Commission proposing more than 80 recommendations to implement a strategy of “layered cyber deterrence.”
“What we’re trying to do here is a 9/11 Commission report without 9/11,” Senator Angus King, I-Maine, one of the commission’s two cochairs, told Wired magazine at the time. “We’re trying to solve a problem before it turns into a catastrophe.”
Still, after two decades during which the internet has become as embedded in modern life as the automobile and television, no cyber security expert would describe it as safe and secure, multiple well-intentioned policy initiatives notwithstanding.
Federal cyber security challenges
Indeed, the challenge for Biden is evident in the cyber security failures at the federal level:
- The Office of Personnel Management (OPM) couldn’t protect the personally identifiable information (PII) of more than 22 million current and former federal employees.
- The National Security Agency (NSA) couldn’t protect its own stash of so-called zero-day (not yet publicly known) vulnerabilities that it hoped to use to spy on, or attack, hostile nation states or terrorist groups. Instead, the stash ended up in the hands of Wikileaks.
- Much more recently, government couldn’t prevent, or even detect, the cyber attack on IT vendor SolarWinds, attributed to Russia, that compromised 9 federal agencies and (so far) about 100 private sector companies.
- Another attack, this one attributed to China, took advantage of zero-day vulnerabilities in Microsoft’s Exchange Server, an enterprise email product. It has reportedly affected at least 30,000 organizations in the U.S. including law firms, defense contractors, and local governments.
- And just a couple of weeks ago, a joint advisory from the NSA, the Cyber & Infrastructure Security Agency (CISA), and the FBI warned that SVR, the Russian Foreign Intelligence Service, was actively exploiting five major software vulnerabilities against American and allied targets.
All of which left the president with multiple fires to put out, or at least confront, in the early days of his administration. A couple of weeks ago he issued an executive order announcing sanctions against Russia for the SolarWinds attack and for allegedly seeking to interfere in the 2020 election. They included the expulsion of 10 Russian diplomats.
Russia promptly announced the expulsion of 10 U.S. diplomats, added 8 U.S. officials to its sanctions list and said it will restrict the activities of U.S. nongovernmental organizations operating in Russia. So far, there have been no announcements of sanctions against China.
- The president announced major cyber security appointments, putting several NSA alumni in charge of the nation’s cyber security. They include Anne Neuberger (former various senior roles at the NSA) in the newly created role of deputy national security adviser for cyber security on the National Security Council; Jen Easterly (former deputy director of the NSA’s counterterrorism center) as head of CISA; and John “Chris” Inglis (former NSA deputy director) as national cyber director. Rob Silvers, appointed undersecretary of the Department of Homeland Security for policy, is the only one without an NSA background.
- The president proposed, and Congress recently passed, a $1.9 trillion coronavirus relief package with $650 million of that dedicated to CISA.
On April 20, the administration announced a “100-day plan aimed at protecting the electric grid against cyber attacks. National Security Council spokesperson Emily Horne called it “a pilot of the administration’s broader cyber security initiative planned for multiple critical infrastructure sectors.” It also would require government contractors to report attacks on their networks and software to federal government customers within several days of discovery. That comes shortly after the North American Electric Reliability Corp. (NERC) reported that about a quarter of roughly 1,500 electric utilities that share data with NERC said they had installed the malicious SolarWinds software update called Orion, although most said they had not detected any evidence of compromise.
- The infrastructure plan also includes $100 billion for improving the power grid, some of which is expected to be used to improve cyber security.
Cyber security funding is not enough
And the response to all this from the cyber security community? So far, it’s mixed. Dmitri Alperovitch, cofounder and former CTO of CrowdStrike and now chair of Silverado Policy Accelerator, called Biden’s appointments the “cyber equivalent of the dream team.”
But regarding funding for cyber security, critics say it is not nearly enough.
While the $650 million earmarked for CISA in the infrastructure bill is more than welcome, Andy Keiser, a former House Intelligence Committee staffer with close ties to CISA, told Politico that the agency is “overworked, understaffed, and in one sense fighting half-blindfolded.”
Regarding the sanctions on Russia, which immediately responded in kind, it looked more like symbolism on both sides than real punishment for penetrating the U.S. government and stealing an unknown amount of data.
As has been said for years, it’s likely that the U.S. is using cyber attacks to spy on its enemies just as aggressively.
And when it comes to cyber strategy, experts say Biden doesn’t need to start from scratch, given that he is awash in templates from previous administrations.
Focus on the fundamentals
AJ Nash, director of cyber intelligence strategy at Anomali, said in a post on Security Week that the best of the lot is the Solarium Commission report, which is only about a year old and offers “bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyber space.”
Among that report’s recommendations are to update the national cyber strategy and put it under the leadership of “a single executive owner.”
So once appointments, funding, and strategy are in place it will come down to how well the administration can execute on a plan. And at least some experts say it should focus on the basics more than the grandiose.
Michael Fabian, principal consultant at Synopsys, said last year in connection with the Cybersecurity Moonshot proposal that “information security across the board needs to do fewer transformational things and more fundamental things.”
Regarding the Biden initiatives, he said the only way for more rigorous standards to be effective will be for them to have adequate funding and accountability provisions. If a company compromises the personal and financial information of millions of customers due to lax cyber security, angry rhetoric will not be enough. It will take real pain for high-end executives and shareholders for others to get the message, he said.
Local and state government are the weakest link
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, said there does need to be a transformation, at least of focus, from the obsolete “better firewall” model to one that addresses the focus of attackers “on weaknesses in applications and the people and processes operating those applications.” That, he said would mean addressing the weakest link in the security chain, which likely would be at the local or state government level.
If attackers “view targeting state-run systems or even those of local government as being most disruptive, then it doesn’t really matter how well-protected an equivalent federal server might be,” he said.
That means federal money would be better spent on “community problems rather than relying on limited local budgets to defend against nation-state scale attacks,” Mackey said. “Such investments come in many forms such as the $1 billion in the American Rescue Plan for the Technology Modernization Fund; services offered to state, local, and tribal governments through CISA; increased disclosures and transparency following cyber incidents, such as those proposed in an executive order; or modernization efforts for critical digital infrastructure such as outlined in President Biden’s proposed infrastructure initiatives.”