For Starters: Expect a Renewal of Some Obama-Era Approaches and Coordination Levels
President-elect Joe Biden when he announced his candidacy in May 2019. (Photo: Michael Stokes via Wikimedia/CC)
President-elect Joe Biden’s approach to cybersecurity appears likely to mirror that of his old boss, former President Barack Obama. Expect Biden’s White House to increase pressure on Russia, practice greater involvement in cybersecurity, and foster high levels of coordination around all things cyber.
The integrity of voting was of primary concern in the weeks leading up to the election, but cybersecurity was hardly mentioned on the campaign trail itself. Instead, the COVID-19 pandemic, a devastated economy, tense race relations and President Donald Trump’s re-election efforts have taken center stage.
The new administration has already signaled what some of its top priorities will be – including health, the economy, racial equality and the climate crisis.
We are preparing to lead on Day One, ensuring the Biden-Harris administration is able to take on the most urgent challenges we face: protecting and preserving our nation’s health, renewing our opportunity to succeed, advancing racial equity, and fighting the climate crisis.
— Biden-Harris Presidential Transition (@Transition46) November 8, 2020
Biden’s administration will also have to handle looming cybersecurity challenges and manage aggressive adversaries. The Democratic Party’s 2020 platform, approved in August, calls for the Biden administration to “maintain American capabilities that can deter cyber threats,” as well as to work with other countries and the private sector “to protect individuals’ data and defend critical infrastructure, including the global financial system.”
Biden himself has prior experience with confronting Russia diplomatically over its online-attack activity. Also expect his Justice Department to continue to exert pressure on China to deter its cyber espionage activities.
Cybersecurity Policy Coordination
Another likely move for the new Biden administration will be to restore some of the organizational cybersecurity structures that Trump’s administration excised, says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.
Lewis says that could include giving the White House a bigger role in coordinating cybersecurity policy and rein in agencies such as U.S. Cyber Command, which he sees as having been encroaching on the U.S. Department of Homeland Security’s turf.
The administration could also reverse some widely questioned cybersecurity moves by the Trump administration. In May 2018, the White House eliminated the top cybersecurity coordinator role, which was held by Rob Joyce, who has since returned to the National Security Agency to serve as senior adviser for cybersecurity strategy to the agency’s director.
Eliminating that role, however, puzzled many experts, given the importance – and challenge – cybersecurity continues to pose. It also came just 16 months after the FBI, CIA, NSA and Director of National Intelligence concluded Russian President Vladimir Putin personally ordered an extensive cyber interference campaign before the 2016 election (see White House Axes Top Cybersecurity Job).
The importance of cybersecurity has continued to escalate since Biden last served in a government role – as Obama’s vice president from 2008 to 2016 – as have U.S. capabilities.
So far, it’s unclear what Biden’s approach to offensive cyber operations might be. In August 2018, Trump signed a controversial executive order that revoked a set of Obama-era guidelines for offensive cyber operations. By doing so, Trump intended to make it easier for U.S agencies to launch online attacks or disruptions targeted other countries (see Trump Pulls Gloves Off on Offensive Cyber Actions). Reportedly, Gen. Paul Nakasone, who leads both U.S. Cyber Command and the NSA, has dramatically increased the pace of attacks, as part of a strategy of “persistent engagement,” “defending forward,” and “hunting forward,” Wired recently reported.
While national security experts say the U.S. needs offensive cyber tools, some questioned whether relaxing the rules of engagement might lead to an escalation in conflicts with Russia. But another strain of thought was that a failure to fully engage adversaries in that arena had already led to an escalation – at the expense of the U.S.
Hard Line on Russia
Biden has indicated he will keep pressure on Russia, particularly regarding any attempt to interfere in U.S. political processes, including of course elections.
On July 21, Biden warned that if elected he would “make full use of my executive authority to impose substantial and lasting costs on state perpetrators.”
Biden added: “If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation’s government.”
The Biden team had also signaled its awareness of the increasing importance of cybersecurity – not least for securing modern U.S. election campaigns – via multiple hires. After the departure of the campaign’s CTO, Dan Woods, for example, the campaign split his role in two. Michigan state CISO Chris DeRusha was hired in July to serve in a new CISO role, including protecting the integrity of its networks and data. DeRusha previously managed automotive giant Ford’s enterprise vulnerability management and application security programs, as well as served as Obama’s White House senior cybersecurity adviser from 2015 to 2017.
Also in July, the campaign hired as CTO Jackie Chang, a senior technologist at Schmidt Futures – a philanthropic firm run by former Google executive Eric Schmidt. She’d previously worked as a software engineer for Hillary Clinton’s 2016 campaign as well as a Democratic National Committee software team during the 2018 midterms.
Biden is also no stranger to confronting Russia on cyber issues. When it became clear Russia was mounting an interference campaign prior to the 2016 presidential election, Biden – then vice president – vowed the U.S. would use its cyber capabilities to send Russian President Vladimir Putin a “message.”
“He’ll know it,” Biden told NBC’s “Meet the Press” in October 2016. “And it will be at the time of our choosing. And under the circumstances that have the greatest impact.”
Trump, even after he became president, refused to consistently acknowledge Russia’s efforts to influence the 2016 election. A subsequent special counsel investigation led by Robert Mueller resulted in indictments against Russian nationals for participating in interference, but produced no evidence showing that Trump or his team directly assisted Russia with its alleged crimes (see Mueller’s Investigation Finds No Trump-Russia Conspiracy).
How might Biden craft his China policy?
“I don’t see changes in the approach to China,” CSIS’s Lewis says. “Less ad hoc, but the same general direction.”
On the cyber front, the U.S. government seems to have had a steady hand in recent years with its approach to China. Following on from President’s Obama’s tenure, during the Trump administration, the Department of Justice continued to take cyber espionage and data theft cases to grand juries, often resulting in indictments against members of China’s military (see 4 in Chinese Army Charged With Breaching Equifax).
The chance of a member of the Chinese military ever appearing in a U.S. courtroom remains slim. But officials say the indictments are a message to China and Russia – in short: “back off” – while also demonstrating the U.S. intelligence apparatus’s digital forensic prowess (see Analysis: The Significance of Russian Hackers’ Indictment).
Praise for CISA
One widely lauded cybersecurity move during Trump’s term was the creation of the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security.
In November 2018, Trump signed a law creating CISA, whose remit is securing government computer networks, critical infrastructure and serving as an early warning system for the private sector over emerging threats such as ransomware and nation-state attacks.
CISA is led by Christopher Krebs, who has proved to have a steady hand on the tiller, not least as election-related cyberactivity from Iran and Russia rose in the weeks leading up to Election Day. Krebs sought to get in front of misinformation about the election results, assuring the public that the integrity of voting had not been compromised (see: Election Security: A Progress Report From CISA’s Krebs).
My first recommendation for the next Administration is to figure out a way to keep @CISAKrebs. Pretty common for such folks to leave at the end of the admin; but he did his job and didn’t play politics about it. He focused on restoring confidence in the vote.
— Robert M. Lee (@RobertMLee) November 8, 2020
Krebs is a political appointee, which means he could be replaced by the incoming Biden administration. But as Robert M. Lee, CEO of industrial IoT security company Dragos, points out in a Sunday tweet, Krebs’ nonpartisan approach to CISA would make him a good person to retain.
Because when it comes to cybersecurity, this much is already clear for the incoming Biden administration: The job of cybersecurity isn’t going to get any easier.
Executive Editor Mathew Schwartz contributed to this story.