At the end of 2020, hackers infiltrated more than 18,000 government and private networks in the US. The international community widely condemned the Russian actors behind the so-called SolarWinds breach – but not so the US’s own leader, Donald Trump, who cast doubt over Russia’s involvement and called the hack “far greater in the Fake News Media than in actuality”.
By contrast, President-elect Joe Biden responded forcefully, condemning Russia and vowing to take punitive action in response. This marks a sea change in the White House’s handling of cybersecurity, which has been characterised by inconsistency and contradiction over the past four years, steadily slipping down the policy agenda.
Government officials worked hard to build the US’s cybersecurity infrastructure during the Trump presidency, launching the Cybersecurity and Infrastructure Security Agency (CISA) and rolling out a new national cyber strategy in 2018. But the president consistently undermined this by abolishing critical parts of the country’s cybersecurity architecture, including the top adviser role, and viewing any action against Russia as a personal attack on his 2016 election victory.
Even before taking office, Biden had made a number of appointments that suggest cybersecurity will be a high priority during his administration. He has gathered an experienced team of experts to advise him, choosing Antony Blinken as secretary of state and Jake Sullivan as national security advisor, and has elevated the National Security Agency’s director of cybersecurity Anne Neuberger to a top role on the National Security Council. He also brings personal experience from his time in the Obama government and has, in Kamala Harris, a vice-president with a record of cyber policy and prosecution.
All of this means that Biden’s government will be “coming in really able to hit the ground running”, says Allison Peters, deputy director of national security at US think tank Third Way. “You will see an administration that backs up its position with the individuals and the architecture needed to demonstrate that it is taking threats seriously, that it is taking diplomacy cyber policy seriously,” she says.
Trump: more spending, less security
The amount the US spent on cybersecurity under the Trump administration would suggest a robust approach, with a 50% expansion in the cybersecurity budget between 2017 and 2020.
But “more spending – on cyber or otherwise – does not necessarily equal more security”, says Stephen Ellis, president of US independent budget watchdog Taxpayers for Common Sense, pointing out that a significant proportion of cyber spending comes under the so-called ‘black budget’, areas of US federal spending that are not divulged because of national security concerns, and so receives no oversight. “Targeted investments and oversight, and accountability regarding performance is what gets results,” Ellis adds.
Indeed, the outgoing president has also been criticised for axing resources for critical parts of the government’s cybersecurity infrastructure, with a proposed $258m cutback for the fledgling cyber agency CISA in the 2021 budget and consistent underfunding of areas such as domestic and international capacity building, where the US has historically played a central role.
In contrast, Ellis projects that investment in core cyber architecture, as well as overall cyber spending, will increase during the Biden administration, as the new president takes the large and growing threat of cyber warfare seriously.
“Biden is much less likely to second guess the security community like Trump has because he doesn’t see it through the lens that any cyber threat from Russia also serves to discredit his election,” he says. “He’s likely to see the information, value it and invest in cybersecurity because he’ll just see the information for what it is.”
This has already been signalled in Biden’s $1.9trn rescue package, which outlines a $9bn injection to shore up the US’s cyber infrastructure across the federal government and the beef up the resources of CISA.
Some of this investment will go towards building a new cybersecurity office in the State Department with “cross-cutting authority”, says Third Way’s Peters. Outgoing Secretary of State Mike Pompeo created a new Cyber Bureau in the last few weeks of the Trump administration, but there are questions about the proposed structure that have led to criticism from Capitol Hill.
Peters projects that, under Biden, this office will be formulated into an effective part of the government’s cyber armoury. “I remain hopeful that cyber diplomacy really becomes a central focus for the State Department and [that it] helps to work with other agencies such as the Department of Justice and the Department of Defense in instituting a more coherent approach to America’s cybersecurity policy,” she says.
Battling China for cyber supremacy
Issues of funding and infrastructure are also critical for repairing America’s damaged image as an international cyber superpower. The US has retained its position as the world’s premier cyber power, according to the 2020 Belfer Index. But China is rapidly closing the gap, especially in core areas such as surveillance, cyber defence and commercial capacity, signalling that the US needs to double down on investment if it wants to retain the top spot.
To do this, the domestic focus will be on ramping up private-public co-operation, with a focus on timely and accurate sharing of information through the new office of the national cyber director. The commercial sector accounts for a majority of the resources in cybersecurity and is the target of almost 90% of the attacks, so building developing private sector capacity is critical.
Cross-sector collaboration is also needed around critical technologies such as 5G that are part of the core national security infrastructure, says Chris Painter, the first cyber coordinator for the US Department of State between 2011 and 2017, and a former federal cybercrime prosecutor.
“We need to make sure that we’re competing and leading in those spaces and taking it seriously so that also means funding it,” he says. “The other side is empowering the private sector to be strong enough to be the leaders, to be the innovators in this space.”
The Biden approach to cybersecurity
This is all part of changing the view of cyber “as a boutique issue, not a mainstream national security or economic issue”, adds Painter, a battle that will be underscored by Biden’s willingness to bring up cyber concerns in his diplomatic relations with other countries.
“A central tenet of the incoming administration beyond cyber has been working with allies and partners, having a more multilateral approach, not the America first approach,” he says, adding that this work will be strengthened by Biden’s strong diplomatic record as vice-president.
“That opens up doors to building alliances in cyber as well,” he says. But it will take time for the US to bounce back from the missteps of the outgoing administration, especially on international cyber concerns, says Peters, highlighting escalating international tension around democratic cyber norms and a free internet.
“That fragmentation in terms of global cyber norms has been developing for quite a long time, although it has worsened under the Trump administration,” she says. “The Biden administration will have a more coherent messaging and architecture behind pushing back on that… [and] keeping the internet open, free and secure.”
The arrival of Biden in the White House signals a return to the US as the premier global cyber power and in good time, as the SolarWinds hack has shown that the scale and complexity of cyber threats are ever increasing. But the challenge for the new administration will be keeping it on top of the agenda as it juggles the competing pressures of an ailing economy, escalating social tensions and an ongoing health crisis.