Danny Bradbury outlines how President-elect Joe Biden can tackle a challenging cybersecurity landscape.
Each successive US administration advocates change, but as we enter 2021, reform is more urgent than ever. President-elect Joe Biden faces challenges on all fronts.
He has already promised a flurry of executive orders when he takes office. As he rethinks policy across the board, what are the biggest cyber-issues facing his administration? How will he tackle them as he also wrestles with disease, the economy and climate change?
Cyber-threats to the US are at an all-time high, encompassing both existing and emerging challenges. Phishing and ransomware attacks continue to worsen, while AI attacks could easily evolve from a worry to a clear and present danger.
Emerging Threats
While some posit more efficient hacking as a threat from AI, others are more concerned with its ability to supercharge another evolving threat: disinformation.
Sarah Kreps is non-resident senior fellow at the Brookings Institution, where her research focuses on the intersection of technology and international relations, and is also the John L. Wetherill professor at Cornell University. She argues that cyber-operations are asymmetric, meaning that small operations with minimal funding can have amplified effects. She worries that AI will further lower the barrier for disinformation operations.
“Synthetic text will enable other countries to optimize manipulation, creating credible and inflammatory content that then, using the same tools as used to improve marketing, can be targeted at individuals to maximize impact and malicious intent,” she warns.
While some foreign actors will focus on disinformation, others will continue to target US critical national infrastructure. Eric Novotny, Hurst senior professorial lecturer at American University’s School of International Service, points out that this infrastructure straddles private and public sector interests. “All of these sectors of the economy are in private hands, essentially, but now the government seems to play a role,” he says.
That creates an urgent problem, warns Susan Landau, bridge professor in cybersecurity and policy at Tufts University’s Fletcher School of Law and Diplomacy. “Unlike the UK, for example, which has the National Cyber Security Centre, the US does not have deep government involvement with the private sector,” she explains. “In the absence of anything like that, we have continued to suffer great losses.”
"Unlike the UK, the US does not have deep government involvement with the private sector"
Lack of Federal Leadership
Now more than ever, the US needs federal leadership to address these challenges. Jody Westby, head of technology and advisory services firm Global Cyber Risk LLC, advised the Department of Homeland Security on cybersecurity research and development for eight years. She sees nothing but a vacuum in federal leadership.
“There just has not been the organization and importance,” she says, drawing a contrast with the European Union Agency for Cybersecurity (ENISA). “They’re doing some amazing things in cybersecurity, and they budget for it,” she adds, “but we haven’t had the spending, the priority and the leadership to get prepared for this.”
The Obama administration, like the Bush administration before it, appointed Howard Schmidt as a White House cybersecurity advisor, replacing him with Michael Daniel in 2012.
“When that position went away in 2018, it was a step back on the policy side. I have no doubt it impacted the threat side as well,” argues Sasha O’Connell, executive in residence in the Department of Justice, Law and Criminology, School of Public Affairs at American University and director of its Terrorism and Homeland Security Policy Master’s program. She also served as the chief policy advisor on science and technology at the FBI.
With no one guiding things at the top, agencies compete to handle cybersecurity, warns James Lewis, senior vice-president and director of the Technology and Public Policy program at the Center for Strategic and International Studies. “You’ve got the FBI, NSA and DHS competing to be the cybersecurity agency, and no strong White House mechanisms for deconflicting that,” he says, recalling a time when the lines were clearer. DHS was the domestic cyber-lead, while the FBI led on law enforcement and the DoD led military activities.
"You’ve got the FBI, NSA and DHS competing to be the cybersecurity agency, and no strong White House mechanisms for deconflicting that"
Lack of International Support
Domestic challenges aren’t the only ones facing the US. As it faces an array of foreign adversaries, international support is vital. That is unfortunate for a country that has spent four years burning bridges.
“The US should have led internationally,” laments Westby. “Instead, it created the CLOUD Act in secret.” That partnership allows the US to demand data from US service providers storing data in other jurisdictions. It is based on bilateral agreements – the first of which the US signed with the UK – rather than multilateral ones.
Agreements like these, along with broader international rifts created by the Trump administration in areas ranging from trade to the environment, make it harder to foster multilateral support.
“We’re okay with Australia and Japan, but we’re not okay with Europe,” warns Lewis. “To have a partnership with Europe, you must build a partnership with Germany, and that’s something [the outgoing] administration has been incapable of doing.”
That’s a big sticking point for another challenge facing the US: privacy. This issue, linked closely with cybersecurity, runs through both domestic and international politics.
The Privacy Shield, which replaced the Safe Harbor initiative for exchanging data between the US and Europe, is now dead, leaving the EU and US trying to resurrect a new option. Any sensible adequacy agreement between the US and Europe would need a robust federal privacy law first, warns Landau. At present, it has a patchwork of state-level data protection laws. The divided Senate that the Biden administration faces will make legislation more difficult to pass.
How to Move Forward
A national cyber-director role should be the first priority for a new administration, advises O’Connell in a report that she co-authored on the subject.
This role would not have governing power, but it would have the ability to get people around the table. “When the national cyber-director calls a meeting, people come,” she says. “It’s really only at the White House that you get that level of convening power.”
The individual would tackle not just threats, but emerging cyber-policy issues ranging from lawful access to Section 230 of the Communications Decency Act, O’Connell says. The latter currently shelters platforms like Facebook from liability for what their users post, making it a crucial issue in an age of disinformation.
Those cyber-policies also cover approaches to national security, she continues, adding that the national cyber-director should have a seat on the National Security Council. “This person should have coordination, responsibility and authority on both defensive and offensive cyber-operations in the US.”
This person should have coordination, responsibility and authority on both defensive and offensive cyber-operations in the US"
Hawk or Dove?
That interplay between offense and defense will be a key issue for the next administration. The US is better at the former than the latter. In the 2020 National Cyber Power Index, which measures the comparative power of various countries on a range of cyber-issues, the Harvard Kennedy School’s Belfer Center for Science and International Affairs rated the US highest in offense. However, it scored poorly on defense, where it came in fourth. China, which keeps targeting the US with offensive cyber-operations, ranked first.
Offensive cyber-operations were a sticking point for the Obama administration, warns Lewis, arguing that a less hawkish Biden administration will face the same internal debates. “I think Biden will do better with Europe. He’ll do better with our allies,” he says. “but he’s going to have to wrestle with problems like where offensive fits into this, because some of the most senior people in the Obama administration never figured that out.”
While it fully supported the Stuxnet offensive cyber-operation initiated under its predecessor, the Obama administration’s attempts at cyber-diplomacy with China in 2015 came to naught, and the threat there has increased since. How will Biden handle that?
International agreements will help the US achieve those goals, and an isolationist Trump administration at least confirmed the need for responsible state behavior, joining over two dozen other countries in a statement calling for “international rules-based order.”
Now, we need to begin crafting enforceable measures by folding cyber-operations into the rules of armed conflict, says Westby. “We need more than a treaty,” she argues. It must go beyond the existing Tallin Manual, which is a non-binding study on how international law applies to armed conflict.
What happens if the US fails to get this right? “The EU will take the stage,” says Westby. That region is already driving privacy policy, points out Lewis, and would undoubtedly like to steer international policy on cybersecurity. However, Europe faces logistical barriers. “It has its own federal problem, which is that the European Union isn’t responsible for defense, security and military action. This limits what it can do,” he points out.
At the dawn of a new administration, everything seems within reach. In his acceptance speech, Biden said: “I’ve always believed we can define America in one word: possibilities.”
Although America’s stance on domestic cybersecurity and international agreements has stumbled, it still has the power to realize those possibilities. The Harvard Kennedy School study still places the country top when assessing national cyber-power across multiple objectives, although China isn’t too far behind.
Some things can be set quickly on the right track with the appropriate approach. International relations fall into that category. Others, such as unpicking the complex relationship between the private sector and national security, will take more time – and the clock is ticking.