What the Biden Administration Means For U.S. Cybersecurity

Even before President-elect Joe Biden is sworn into office at noon on Wednesday, Jan. 20, his administration is already facing a series of cybersecurity challenges on top of other major concerns, such as containing COVID-19 and repairing a shattered economy. 

On the security front, the Biden administration will confront the continuing fallout from the SolarWinds breach discovered in December. The hackers appear to have infiltrated the networks of the U.S. Treasury, Commerce, Homeland Security, Justice, State and Energy departments, as well as parts of the Pentagon and several private organizations and companies.

The attack, according to a joint statement released by the agencies investigating the incident, points toward a Russian-backed threat group that carried out the operation as part of an elaborate cyberespionage campaign.

“The Biden administration will have no shortage of priorities, but with respect to SolarWinds, there is a reckoning coming,” Mike Hamilton, former vice chairman of the Department of Homeland Security’s State, Local, Tribal, and Territorial Government Coordinating Council, as well as CISO of the security firm CI Security, told Dice. “Because the Russian government has fingerprints here, and because the memory of the 2016 election has been indelibly carved into the American psyche, there will be some hard deliberation on the limitations of espionage and the definition of international behavioral norms as well as appropriate penalties.”

The Biden administration will also confront several federal agencies responsible for cybersecurity policy and strategy that have lacked leadership and direction for months. The most important of these, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has been without a director since President Donald Trump fired Christoper Krebs from the leadership position a few weeks after the November election.

Other issues include a spate of ransomware attacks that have targeted city and municipal governments over the past two years, plus a series of security incidents designed to target COVID-19 vaccine research and distribution.

The riot at the U.S. Capital building on Jan. 6 by pro-Trump supporters has also raised a host of cybersecurity concerns, since laptops, mobile devices and other equipment may have been tampered with or stolen during the incident. Both the FBI and Justice Department are investigating the possibility that some of the rioters broke national security laws.

When Biden unveiled his “American Rescue Plan” this week, his administration took the first steps toward addressing some of these daunting cybersecurity issues and creating new policies. The plan included a proposal for about $10 billion in security improvements. 

Biden has also taken a strong stand on the SolarWinds attack, noting the incident showed how U.S. cybersecurity preparedness had become lax and new skills are needed.

“This attack constitutes a grave risk for national security. We need to close the gap between where our capabilities are now and where they need to be better to deter, detect, disrupt and respond to those sorts of intrusions in the future,” Biden said during an event earlier this month.

Revising Cybersecurity

Several security experts and analysts noted that, despite headlines and numerous reports about the growing numbers of attacks targeting organizations and individuals alike, spending on cybersecurity was never a priority over the last four years—and that needs to change.

The attack against SolarWinds is likely to serve as a wake-up call to lawmakers and decision-makers in the White House, said Andrew Barratt, managing principal for solutions and investigations at security consulting firm Coalfire.

“Biden will need to place a renewed focus on the investment in cybersecurity that was lost under the Trump administration,” Barratt told Dice. “As we’ve seen technology supply chains can be varied, globally distributed and hugely impactful in the event of their compromise. Imagine if the hackers targeted Microsoft instead and every Microsoft system was compromised, or if they went after a more subtle target such as a popular Linux distribution or AMI provider on AWS. Consideration for the software supply chain security should be a big priority to ensure that both federal agencies, as well as multinational U.S. organizations, are not compromised by their software providers inadequacies.”

While the incoming Biden administration is still preparing to take over the executive branch, Congress is already looking to make cybersecurity a larger priority. As part of the recently passed 2021 National Defense Authorization Act, lawmakers included over 70 separate provisions related to improving security, which includes restoring the position of National Cyber Director at the White House.

Many of the provisions in the NDAA were part of the bipartisan Cyberspace Solarium Commission report released in 2020, which called for more spending and greater emphasis on cybersecurity. This includes ensuring that the new director of CISA must have experience in two of three specific areas related to security: cybersecurity, infrastructure security and security risk management.

The same report also calls for CISA to increase threat hunting within federal agency networks, which means the new administration is going to need new employees with specific skills.

“Getting the right roles in place with the best-qualified people for these roles, some of which are completely new types of roles, is one of the first steps recommended in the Solarium report,” Heather Paunet, senior vice president at security firm Untangle, told Dice. “The report proposes continually building layers of defense such that if one layer were to be compromised, another layer would be there blocking an attack from getting through. This layered approach serves two purposes; the first is to reduce the frequency of cyberattacks that can be attempted or can be successful, and the second is to reduce the severity of an attack so that if one layer is breached, it is isolated regarding the impact it can have.”

And while the incoming Biden administration has not yet proposed specific security policies, Paunet noted that the officials tapped for leadership positions, such as Anne Neuberger, a top official at the National Security Agency who is being appointed to a cybersecurity-focused role on the National Security Council, shows that the White House is planning to address these issues more robustly.

“Cybersecurity has become a mainstream issue that needs to be addressed at the highest levels to make sure the U.S. is protected,” Paunet said. “Attacks will keep coming through 2021 and beyond, and our government needs to be prepared to keep evolving our preparedness at all levels.”

Think Policy 

Hamilton, who is now the CISO at CI Security, believes that during the Biden administration, federal agencies will start looking for IT and security professionals with certain skills and knowledge. For example, he notes that the other federal agencies might begin to implement their version of the Cybersecurity Maturity Model Certification, which the Defense Department uses to measure third-party contractors’ readiness and sophistication when it comes to cybersecurity.

“Cybersecurity writ large is a mess in federal agencies, and some of the processes already underway will get increasing support and expansion,” Hamilton said. “For example, the Cybersecurity Maturity Model Certification will likely be adapted for federal agencies outside the Defense Department, and we’ll begin to—finally—force cybersecurity to become a market force rather than a bolt-on.”

Hamilton also notes that leaders in the new administration will likely seek out those with policy experience as well as cybersecurity chops. “The United States will need individuals that are experienced both in public policy and cybersecurity. More broadly, the U.S. will need to tool up a lot of auditors to assess products and companies to ensure that they’re compliant with emerging standards and that third parties are demonstrably addressing security, rather than aspirational self-assessments,” he said.