When it comes to hitting the ground running on cybersecurity, the Biden administration has engaged in an extensive set of initiatives that far outstrip those of the Trump administration – and even those of the Obama administration, which established the previous highwater mark for cybersecurity actions. In mid-October, the White House issued a fact sheet about the Biden-Harris administration’s “relentless focus” on improving the nation’s cybersecurity to tout its impressive sprint.
The document outlined the administration’s actions since January 2020, when President Biden assumed the presidency amid the fallout of the SolarWinds and Microsoft Exchange supply chain security crises. As spelled out in the fact sheet, the Biden administration’s cybersecurity agenda has tackled a wide swath of domestic and international digital protection challenges. And while the domestic cybersecurity agenda seems well-baked for now, experts say the Biden administration still has room to do more on the international scene.
US takes steps to lock digital doors
In its fact sheet, the administration said it was building a comprehensive approach to “lock our digital doors” and take aggressive action to strengthen and safeguard U.S. cybersecurity. Among some of the domestic accomplishments cited are:
- Improved critical infrastructure cybersecurity, including “multiple performance-based directives by the Transportation Security Administration (TSA) to increase cybersecurity resilience for the pipeline and rail sectors, as well as a measure on cyber requirements for the aviation sector.” The White House also cites the recently released cybersecurity performance goals as a key measure to improve critical infrastructure security.
- Ensuring new infrastructure is smart and secure through a range of efforts made possible by the landmark infrastructure bill enacted earlier this year.
- Strengthening the Federal Government’s cybersecurity requirements, and raising the bar through the purchasing power of government through Biden’s wide-ranging executive order issued in May 2021, which required all federal government systems to adopt “impactful” cybersecurity steps, such as multifactor authentication, created a strategy for national zero trust architecture implementation and required security features in all software purchased by the federal government.
- Imposing costs on and strengthening our security against malicious actors, including sanctions on malicious Russian cyber actors involved in the SolarWinds hack and, although not articulated in the fact sheet, sanctioning cryptocurrency exchanges to cut off ransomware payments.
- Developing a new label to help Americans know their devices are secure, including a common label for products that meet US Government standards and are tested by vetted and approved entities.
- Building the Nation’s cyber workforce and strengthening cyber education, including a 120-Day Cybersecurity Apprenticeship Sprint to help provide skills-based pathways into cyber jobs.
- Developing quantum-resistant encryption and leadership in quantum computing while mitigating risks to cryptographic systems through four new encryption algorithms that will become part of the National Institute of Standards and Technology’s (NIST) post-quantum cryptographic standard and increased R&D investment in quantum technology.
In the face of all these and other actions, such as mandatory incident and ransomware payment reporting requirements, some experts say it might be time for the administration to pause on further executive orders and policy pronouncements to allow the federal apparatus to catch up. Bob Kolasky, senior vice-president for critical infrastructure at Exiger and a former DHS official, tells CSO: “If I were the administration, I would stop coming up with more good ideas and I would take the good ideas that they’ve already come up with and make sure that they’re effectively implemented.”
“I think there’s a danger of trying to do too much, so I don’t think 2023 needs to be more policymaking. It needs to be more attention to details and getting feedback from industry and operational folks to ensure that the implemented requirements are well designed.”
International accomplishments highlighted
In addition to the list of domestic accomplishments, the White House highlights several international achievements. Chief among these are the International Counter Ransomware Initiative, which recently held its second meeting, and advancing accepted cyber norms, as it did recently in working with international partners to call out Iran’s counter-normative attack on Albanian government systems and impose costs on Tehran for this act.
US cybersecurity leadership in dealing with cyber threats appears to be a welcome development on the global scene. “Coordination within the US makes cooperation with like-minded nations easier and potentially more effective, a welcome situation for those nations increasingly finding themselves playing cyber-defense,” Daniel Dobrygowski, head of governance and trust, Centre for Cybersecurity at the World Economic Forum, tells CSO.
US participation in the Paris Call for Trust and Security in Cyberspace and its pledge to co-develop digital trust programs and cybersecurity standards as part of the US-ASEAN Comprehensive Strategic Partnership “show the beginnings of a successful strategy to build allies on international cybersecurity and digital trust issues,” Dobrygowski says.
“I think fundamentally the Biden administration’s work has been very well received,” Lauren Van Wazer, vice-president, global public policy, at Akamai and a former cybersecurity official in the Obama White House, tells CSO. “At the same time, I don’t think countries are standing by and waiting and watching. Particularly in the cyber incident reporting space, you’ve got a lot of countries that have adopted regulations.”
Crimes such as ransomware transcend international boundaries, so it’s helpful that the US is taking a leadership role, Kolasky says. “We need a level of coordination and collaboration on enforcement on the financial side and enforcement on trying to go after ransomware criminals,” he says. The US should then “try to set a standard by which countries are going to be punished if they’re perceived as supporting criminal gangs or sponsoring criminal gangs to use ransomware.”
More action needed on the global scene
Despite these accomplishments, the White House must continue to press for greater cybersecurity advancements on the international scene. Further harmonizing how international partners approach cybersecurity policies and requirements is an essential first step, says Van Wazer, starting with the “low-hanging fruit” of aligning cybersecurity incident response requirements.
“If we’re pushing critical infrastructure to be more resilient, are we adopting standards in the EU that don’t exactly jibe with the standards in the US?” she says. “There are just a host of areas that could benefit from harmonization of cybersecurity-related regulations, everything from resilience to sector-specific regulations.”
Another area where the US could show leadership is working with other nations to help resolve the chronic shortage of infosec professionals. “Education has been disrupted around the world, so that means fewer people are getting potentially whatever credentials they need,” Van Wazer says. “I think the cybersecurity workforce set of issues could also be one that we could look at through an international lens. And I think more work can be done there to increase the talent pool for cybersecurity.”
WEF’s Dobrygowski thinks the Biden administration should continue its focus on protecting democracy from digital threats. “The defense of democracy against digital threats, coupled with President Biden’s efforts to unify the worlds democracies against external threats, can be, with significant continued attention and effort, a legacy-defining success,” he says.
Kolasky points to the international effort formed to protect digital infrastructure in Ukraine as a worthy area for continued reinforcement. In particular, he encourages support of “the normative expectation that other countries will come to support countries under attack with additional technical assistance and funding of defense operations and information sharing while encouraging the private sector and NGO community to be part of the cyber defense.”