Biden faced two immediate challenges when he entered office, says John Pescatore, director of emerging technology trends at the SANS Institute.
“He had to remediate issues from the previous administration that neglected cybersecurity almost completely,” says Pescatore, who began his career developing secure communication systems at the NSA and the US Secret Service. “But also, we’ve had these very high-profile issues — the SolarWinds attack and then Colonial Pipeline — that were really unprecedented.” Not to mention the Hafnium hack on US Exchange servers.
Grappling with Emergencies, Old and New
On these issues, President Joe Biden is taking care of business. In late May, he announced a budget proposal, which included $750m to help shore up cybersecurity improvements at affected agencies and another $500m for the Technology Modernization Fund to modernize aging cyber-infrastructure in the federal government.
That followed a move that impressed experts across the board: on May 12, Biden announced an Executive Order on improving the nation’s cybersecurity. It imposed new language in the Federal Acquisition Regulation (FAR) contract requirements, forcing federal contractors to collect and store all cybersecurity-related data, sharing it with government clients. Additionally, it imposed cyber incident notification requirements on them, including informing CISA, the Department of Homeland Security’s cybersecurity arm.
The Order also whipped federal agency cybersecurity into shape with some unusually specific requirements. Agencies must develop plans to support zero trust access and cloud technology, along with multi-factor authentication and encryption.
Following the SolarWinds debacle, the Order provided new guidance on third-party software security from NIST, and called for automated tools to maintain trusted source code supply chains. This also extended to the creation of secure software development labeling plans for consumer IoT devices and software.
Show Me the Data
The document has teeth, explains Pescatore, reserving special praise for the creation of a Cyber Safety Review Board. This unit will review cybersecurity incidents after the fact and work out what went wrong, a little like the National Transportation Safety Board does with transportation accidents.
All these measures join up for Patrick Miller, CEO of Ampere Industrial Security. The long-time auditor and investigator for the non-profit North American Electric Reliability Corporation has 35 years’ experience securing national electrical infrastructure and is also an instructor at SANS.
Miller points out that one of the biggest challenges in clearing up a mess like SolarWinds and preventing another is getting lots of data about what happened. “The cyber NTSB, the push for breach notification — it’s all an effort to get more data about these things that are happening,” he says.
This is a much-needed change. In February, the Senate Intelligence Committee leaders wrote to government agencies complaining that the government needed more cooperation when dealing with the SolarWinds hack. One of those senators, Mark Warner, complained the month before, just as Biden entered office, that the Committee had to rely on a private-sector company for the details. The agencies responsible simply hadn’t reported to him.
Getting the Right People in Place
Good cybersecurity needs solid staff on the ground. This was another Biden move that pleased James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies. He praises Biden for some excellent hires.
“He’s got the strongest cybersecurity team we’ve ever seen,” he says. He points specifically to CISA director Jen Easterly, deputy national security advisor Anne Neuburger and Chris Inglis, a former NSA deputy director whom Biden appointed as national cyber director in June.
This isn’t to say that there haven’t been excellent individuals before, such as Michael Daniel, Chris Krebs and Howard Schmidt, but Biden’s hires were coordinated, says Lewis. “What we haven’t had is a team that goes across the agencies,” he says. “And they’ve all worked together for years.”
The Race to Secure Critical National Infrastructure
Hopefully, these experts will help Biden in some of the things he’s tackling now, which often interconnect. One example is the protection of critical national infrastructure, which extends across multiple domains, including energy. The Colonial Pipeline attack in early May snapped that into sharp focus.
"I would have liked to have seen an additional reference to inclusion and prioritization of cybersecurity"
Biden got off on the wrong foot by not funding cybersecurity to protect the massive build-out laid down in his $2.25tn infrastructure plan. That concerns Megan Stifel, senior policy counsel at the Global Cyber Alliance and former director for international cyber policy on the National Security Council.
“I would have liked to have seen an additional reference to inclusion and prioritization of cybersecurity,” she says. “We want to build all the infrastructure. Well, to achieve that goal, especially if we’re going to connect it all, we need to be able to protect it all.”
Biden hasn’t been resting on this issue either. In mid-April, he announced a 100-day plan to help protect the electrical grid against cyber-attacks. CISA and the DoE spearheaded the plan, which will be a blueprint for other energy sectors. The DoE will work on technologies to protect the grid according to the plan, which followed a GAO report warning of an increased vulnerability to attacks within the electricity distribution grid.
Miller is optimistic. The electricity sector already has the NERC standards, which he helped create, but they represent the bare minimum requirement. “These are things that will go above and beyond that, that address some of the current issues,” he says. “There are some areas where NERC doesn’t provide adequate coverage.”
Pescatore believes that there’s a more significant utility risk: municipal water. “That area has been neglected because it really has not been subject to federal regulation like the power system has,” he says. “But there’s energy, gas and other utilities like water. And you think about trash removal, other things that could really bring a city to a halt.” That includes election systems, too, which are governed at a local level.
It’s a symptom of a far larger problem that lies in the US democratic structure. Many functions are simply outside the federal remit. So are many private sector operations, which is problematic for Biden as he grapples with another cyber threat: ransomware.
Wrangling the Ransomware Threat
Biden’s administration has seen some of the worst ransomware attacks in history, with the Colonial Pipeline and JBS Meats incidents taking out large parts of US oil distribution and meat production. The administration’s response was underwhelming for Miller: it made some task forces. DHS is running one; the DoJ has another.
“There’s a lot of squeeze there and not much juice,” he says, adding that ransomware isn’t something a task force can solve. “That’s squarely on the companies themselves.”
The White House understands this. As the ransomware attacks rolled out, Anne Neuberger issued an open letter to US companies, urging them to take basic measures. Stifel, who has talked to White House contacts since the ransomware attacks, says that it’s a top priority.
“I think the White House is actively trying to knit together the interagency capacity and authority and talent pool to go after this issue,” she says, adding that it is an international effort and not just a domestic one.
Rebuilding Cyber Diplomacy
International diplomacy is an area where Biden promises to do far better than Trump’s inward-facing administration. He has already flexed his muscle, expelling Russian diplomats in the wake of the SolarWinds hack. At a summit with Russian President Vladimir Putin in June, the message from the new President was clear: crackdown on cybercrime, or else.
To hammer home the message against Russia and the US’ other online nemesis, China, Biden needs international consensus from allies that Trump burned, says Miller.
“There’s been a lot of fragmentation. I think a lot of that was caused by the Trump administration, to be perfectly honest,” he says. “And there was a lot of almost intentional disruption of many of the global norms that were already forming and had some traction behind them.”
Biden has a lot of work to do to rebuild international consensus among a community that will now be wary of America, warn experts, but there are some positive signs. In March, he met with leaders from India, Australia and Japan in an attempt to build a united front against China, which continues to threaten the US and other countries with hacking activity and data theft.
"There's been a lot of fragmentation. I think a lot of that was caused by the Trump administration"
Biden has also amended Trump-era bans against China rather than reversing them outright. While he did revoke Trump-era bans against WeChat and TikTok, he kept Executive Order 13959, enacted by his predecessor. This banned US companies or individuals from doing business with companies linked to the Chinese military. Biden has clarified and expanded these rules, which continue to prevent US companies from doing business with select Chinese firms, and more have been added to the list since he took office.
The first six months of Biden’s presidency has been a honeymoon period for a leader who took over from a divisive, inward-looking administration. There is much work yet to do. But the consensus is that when it comes to cybersecurity, Biden has made significant progress. The world will be watching eagerly as he plans his next move.