Biden on cybersecurity: 100 days in, reviews are mixed

The president has made a good start. But it’s executing on a strategy that is the hard part

Biden on cybersecurity: 100 days in, reviews are mixed

No! president’s legacy should depend solely on what happens in the first 100 days of his administration. That’s less than 7% of a single term.

But for better or worse, 100 days has become a marker for new presidents, both for what to expect and what an administration may be able to accomplish. It’s a “honeymoon” when major policy initiatives have the best chance of getting through even a divided Congress.

All of which leads to this week and a small avalanche of analysis about President Joe Biden’s trajectory on everything from the pandemic to climate change, immigration, infrastructure, taxes, and cybersecurity.

Yes, cybersecurity. The president said before he took office that it would be among his “top priorities.”

It should be. The digital world, as we are all now reminded daily, has a direct impact on the real world, for better and worse. It provides conveniences and powers that were the stuff of sci-fi dreams only a generation ago, but it also generates threats to privacy, physical safety, and personal, corporate and national security.

And if the president actually succeeds in moving the security needle in a substantive way, he will be the first. Cybersecurity has generated a pile of executive orders and initiatives from every U.S. president since Bill Clinton, starting with Clinton’s National Plan for Information Systems Protection in 2000, labeled “the first-ever national strategy for protecting the nation’s computer networks from deliberate attacks.”

The most recent, under the Trump administration, were December 2018’s proposed “Cybersecurity Moonshot” and then in March 2020, a 182-page report from the U.S. Cyberspace Solarium Commission proposing more than 80 recommendations to implement a strategy of “layered cyber deterrence.”

“What we’re trying to do here is a 9/11 Commission report without 9/11,” Senator Angus King, I-Maine, one of the commission’s two cochairs, told Wired magazine at the time. “We’re trying to solve a problem before it turns into a catastrophe.”

But after two decades during which the internet has become as embedded in modern life as the automobile and television did in previous generations, nobody in the cybersecurity business would describe it as safe and secure.

Indeed, the idea that the U.S. government could play a dominant and effective role in protecting the nation from malicious cyberattacks on everything from Internet of Things (IoT) devices to critical infrastructure to election voting systems might strike many people as absurd. Its catastrophic security failures are well known:

  • The Office of Personnel Management (OPM) couldn’t protect the personally identifiable information (PII) of more than 22 million current and former federal employees.
  • The National Security Agency (NSA) couldn’t protect its own stash of so-called zero-day (not publicly known) vulnerabilities that it hoped to use to spy on, or attack, hostile nation states or terrorist groups. Instead, the stash ended up in the hands of Wikileaks.
  • Much more recently, government couldn’t prevent, or even detect, the catastrophic cyber attack on IT vendor SolarWinds that compromised nine federal agencies and (so far) about 100 private-sector companies.
  • Another ongoing attack, this one attributed to China, has taken advantage of zero-day vulnerabilities in Microsoft’s Exchange Server, an enterprise email product. It has reportedly affected at least 30,000 organizations in the U.S. including law firms, defense contractors and local governments.
  • Just a couple of weeks ago, a joint advisory from the NSA, the Cyber & Infrastructure Security Agency (CISA) and the FBI warned that SVR, the Russian Foreign Intelligence Service, was actively exploiting five major software vulnerabilities against American and allied targets.

All that doesn’t mean government should stop trying to improve the nation’s cybersecurity. The threat falls into the “clear and present danger” category. Biden, like all the 2020 presidential candidates, vowed he would do something about it.

And after 100 days, this is some of what the president has been doing to keep that vow:

  • This past week he issued an executive order announcing sanctions against Russia for the SolarWinds attack and for allegedly seeking to interfere in the 2020 election. The sanctions were aimed at Russia’s Central Bank, six Russian technology companies, and 32 individuals the U.S. says were involved in Russian efforts to influence the 2020 election. It also included the expulsion of 10 Russian diplomats. Russia promptly announced the expulsion of 10 U.S. diplomats, added 8 U.S. officials to its sanctions list and said it will restrict the activities of U.S. nongovernmental organizations operating in Russia.
  • The president announced major cybersecurity appointments, putting what some might call an NSA alumni association in charge of the nation’s cybersecurity. They include Anne Neuberger (former various senior roles at the NSA) in the newly created role of deputy national security adviser for cybersecurity on the National Security Council; Jen Easterly (former deputy director of the NSA’s counterterrorism center) as head of CISA; and John “Chris” Inglis (former NSA deputy director) as national cyber director. Rob Silvers appointed undersecretary of the Department of Homeland Security for policy, is the only one without an NSA background.
  • The White House announced, almost two months ago, that Biden would be issuing an executive order to encourage software developers to build security into their products. Neuberger said at the SANS Institute’s ICS Security Summit that the order will “focus on building in standards for software, particularly software that’s used in critical areas.”
  • The president proposed, and Congress recently passed, a $1.9 trillion coronavirus relief package with $650 million of that dedicated to CISA.
  • On April 20, the administration announced a “100-day plan aimed at protecting the electric grid against cyberattacks. National Security Council spokesperson Emily Horne called it “a pilot of the administration’s broader cybersecurity initiative planned for multiple critical infrastructure sectors,” and said it would be a public-private partnership. Horne said the government would “assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation, and forensic capabilities. It also would require government contractors to report attacks on their networks and software to federal government customers within several days of discovery. That comes shortly after the North American Electric Reliability Corp. (NERC) reported that about a quarter of roughly 1,500 electric utilities sharing data with NERC said they had installed the malicious SolarWinds software update called Orion, although most of them didn’t detect any evidence of compromise.
  • The infrastructure plan also includes $100 billion for improving the power grid, some of which is expected to be used to improve cybersecurity.

And how is this going over in the tech community? So far, the reviews are mixed.

In some cases, it’s drawn raves. Dmitri Alperovitch, cofounder and former CTO of CrowdStrike and now chair of Silverado Policy Accelerator, tweeted that Biden’s appointments were the “cyber equivalent of the dream team.”

But Paul Rosenzweig, founder of Red Branch Consulting, while strenuously praising the appointees as “wonderful professionals” and declaring himself a “huge fan of the NSA” in a post on Lawfare, still argued that the appointments were too NSA heavy.

The agency, he said, is too focused on offense while an appointee with “private-sector background or nonmilitary government background, could have brought added diversity to their deliberations and a more nuanced understanding of how private-sector cybersecurity functions.”

Jacob Olcott, vice president for communications and government affairs at BitSight, said the administration has “assembled a really strong team,” and agrees with Congress creating a position that “would allow (Capitol Hill) to exert more oversight.” He also said he thought it was constructive for the government to respond to both the SolarWinds and Microsoft Exchange attacks.

But he said much remains to be done. “The announcement that the FBI actively removed backdoor webshell exploits from vulnerable Exchange Servers was very significant. Is this the beginning of more proactive remediation from the USG to commercial entities? What are the legal and privacy implications for future efforts?” he said, adding that government “needs to create an operational strategy to address that long tail of underperforming organizations whose vulnerability puts us at risk.”

On other fronts, while the $650 million earmarked for CISA in the infrastructure bill is welcome, critics say that’s not nearly enough. Andy Keiser, a former House Intelligence Committee staffer with close ties to CISA, told Politico that the agency is “overworked, understaffed and in one sense fighting half-blindfolded.”

What line did Russia cross?

When it comes to sanctions on Russia, which immediately responded in kind, it looked more like symbolism on both sides than real punishment for penetrating the U.S. government and stealing an unknown amount of data.

As has been said for years, it is likely that the U.S. is using cyber attacks to spy on its enemies just as aggressively.

Robert Chesney, a professor and associate dean at the University of Texas School of Law wondered in a post on Lawfare what “normative” line the Russian attack crossed.

Among the reasons given by the government for the sanctions was that the SolarWinds attack took advantage of a software supply chain. “Is that categorically forbidden? That’s probably not the U.S. position, since this is by no means the first software supply chain attack and none of the previous such attacks prompted such pushback,” Chesney wrote.

Finally, when it comes to cyber strategy, AJ Nash, director of cyber intelligence strategy at Anomali, argued in a post on Security Week that the administration doesn’t need to create a new cyber strategy. It’s awash in templates from previous administrations or Congress.

The best of the lot, he said, is the Solarium Commission report, which is only about a year old and offers “bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyberspace.”

Among that report’s recommendations are to update the national cyber strategy and put it under the leadership of “a single executive owner.”

All about execution

But, as is always the case, it will come down not to rhetoric or symbolism but how well the administration can execute on a plan once the pieces (appointments, funding and strategy) are in place. And at least some experts say it should focus on the basics more than the grandiose.

Michael Fabian, principal consultant at Synopsys, said last year in connection with the Cybersecurity Moonshot proposal that “information security across the board needs to do fewer transformational things and more fundamental things.”

Regarding the Biden initiatives, he said the only way for more rigorous standards to be effective will be for them to have funding and genuine accountability. If a company compromises the personal and financial information of millions of customers due to lax cybersecurity, angry rhetoric will not be enough to change corporate behavior. It will take “real pain” inflicted on high-end executives and shareholders, he said.

Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center (CyRC), said there does need to be a transformation, at least of focus, from the obsolete “better firewall” model to one that addresses the focus of attackers, “on weaknesses in applications and the people and processes operating those applications.”

That, he said would mean addressing the “weakest link” in the security chain, which likely would not be at the federal but at the local or state government level.

If attackers “view targeting state-run systems or even those of local government as being most disruptive, then it doesn’t really matter how well-protected an equivalent federal server might be,” he said.

That means federal money would be better spent on “community problems rather than relying on limited local budgets to defend against nation-state scale attacks,” Mackey said.

“Such investments come in many forms, such as the $1 billion in the American Rescue Plan for the Technology Modernization Fund; services offered to state, local, and tribal governments through CISA; increased disclosures and transparency following cyber incidents, such as those proposed in an Executive Order; or modernization efforts for critical digital infrastructure such as outlined in President Biden’s proposed infrastructure initiatives.”