‘I would like to see a pivot from cyber warfare back to risk mitigation and personal privacy’
ANALYSIS Cybersecurity issues – not least allegations that Russian interference brought him to power – loomed large over the presidency of Donald Trump.
With cyber-attacks against the US public and private sector at an all-time high, as evidenced by the recent SolarWinds supply chain hack, the incoming Biden administration has a huge amount of work to do in the cybersecurity arena.
Cyberwar – what is it good for?
Experts polled by The Daily Swig agreed that the Trump administration ushered in a much more aggressive approach to cyber offense compared to previous US governments. There was, however, disagreement on whether this policy should be changed after Joe Biden is sworn into office tomorrow (January 20).
“That shouldn’t change under the Biden administration,” Jay Kaplan, CEO of crowdsourced security firm Synack, told The Daily Swig. “The SolarWinds hack is a clear sign that we must be more aggressive when it comes to hitting back against adversaries who attack us in cyberspace.”
“We can’t just sit back and accept breaches, hacks, and digital extortion,” he added.
Chris Morales, head of security analytics at Vectra, an AI-based attack detection technology vendor, disagreed with Kaplan and argued that the Trump administration’s belligerent approach was rooted in outdated Cold War thinking and was ill-suited to combating contemporary cyber threats.
Joe Biden will be sworn in as US President on January 20, 2021
“For enterprise, the goal has always been to ‘mitigate risk’,” Morales explained. “That was the posture of the federal cybersecurity strategy prior to the Trump administration, last defined in 2015.”
“In 2018, the new posture was ‘assertively defend our interests’ which is more active and risk accepting. The strategy used terms like ‘win’ and ‘pre-empt’, which is a lot like the same language used during the Cold War,” he continued.
These enhanced military cyber capabilities were enacted through policy initiatives including unified cyber command, legislation clarifying DoD (US Department of Defense) authority to wage cyber war, “defend forward” cyber strategy, and offensive cyber operations.
“I would like to see a pivot from cyber warfare back to risk mitigation and personal privacy,” Morales concluded.
“While going on the offensive sounds like a deterrent, it is not aligned with how cyber-attacks truly occur, as witnessed in the latest SolarWinds breach.”
The incoming Biden administration plans to elevate the importance of many cyber issues.
Chris Hauk, consumer privacy champion at Pixel Privacy, commented: “President Biden will restore two White House posts to prominence that were all but ignored during President Trump’s time in office, which are Homeland Security adviser and cybersecurity advisors.”
Hauk added: “Biden is also likely to confront Russia over its cyber-attacks, such as its alleged attempts to disrupt elections in the West.”
Synack’s Kaplan said: “Unlike Trump, the Biden administration will work with our allies to form alliances to improve cybersecurity and develop international standards to establish global norms of behavior in cyberspace.”
Bridging the digital divide
Both the Trump administration and the incoming Biden administration are trying to bridge the digital divide between rural and urban Americans by making high-speed broadband more widely available.
Speaking during a session at the CES trade show, Brian Deese, director designate at the National Economic Council, described broadband rollout at “essential” to the Biden administration’s post-Covid “Build Back Better” agenda, adding that partnership with the private sector will be key.
Early on in Trump's presidency, the Federal Communications Commission (FCC) infamously repealed two major internet regulations: broadband privacy and net neutrality.
“I expect Biden to restore those consumer protections during his term,” commented Paul Bischoff, privacy advocate at Comparitech, a consumer-focused security and technology comparison service.
Net neutrality ensures that internet service providers treat all types and sources of internet traffic equally, essentially classifying the internet as a utility. Broadband privacy rules ensure that internet service providers could not collect and sell customer browsing histories, communications, location data, and other private information without consent.
Back in the security sphere, the Trump administration previously attacked end-to-end encryption amid claims that the technology can subvert national security.
Comparitech’s Bischoff commented: “I’m not sure where Biden will come down on this, but during his time as Vice President under Obama, the administration engaged in no small amount of cyber-spying and bulk data collection, as revealed by Edward Snowden in 2013.
“His past policies would indicate that Biden wouldn’t be opposed to banning end-to-end encryption, but pressure from other lawmakers and his constituents might persuade him otherwise,” he added.
John Petrie, counsellor to the chief information security officer (CISO) at IT giant NTT, looked forward to a greater degree of post-Trump cyber policy continuity than many might imagine.
“The cybersecurity structure within the Trump administration, although with a reduced White House presence, has actually been mostly bipartisan and politics has been generally set aside,” Petrie explained.
“The dismissal of Chris Krebs is where this happy situation began to deteriorate a bit. But when we talk about the initiatives, I don’t think we’ll see a lot of change.”
For example, the emphasis of the Cybersecurity and Infrastructure Security Agency (CISA) becoming a cybersecurity hub will remain.
“In terms of funding, I don’t expect there to be budget cuts,” Petrie said. “In fact, NSA funding may even increase.”
A more liberal Biden regime may well usher in more regulation.
“From a regulatory perspective, most of the Trump administration has been focused on deregulation across the board,” Petrie said. “The Biden administration is expected to increase regulatory requirements.”
Petrie continued: “In the cybersecurity world, that means more scrutiny in terms of limitations and reporting for both private and public sectors.”
Will the incoming Biden-Harris administration signal a change of direction for US cybersecurity policy?
Embracing open source
In related news, the Biden-Harris administration has appointed David Recordon as the White House director of technology.
Vectra’s Morales praised the move, saying: “Recordon is best known for his contribution to open standard authentication protocols and methods, which is precisely the type of technology the industry and federal government needs.
“He has a proven track record as a technologist and will most likely continue his previous efforts around modernisation of the federal government.”
Derek Weeks, vice president and DevOps Advocate at Sonatype, added: “In appointing David Recordon as the White House director of technology, the Biden-Harris administration rightly recognises how integral open source software and application security are to the modern enterprise.”
Sam Curry, chief security officer at Cybereason, an attack detection and response company, told The Daily Swig that which, if any, of Trump administration’s initiatives will be preserved will remain unclear until the Biden administration settles into power.
“Until we hear from President-elect Biden himself on the new policies which will be determined for the most part in the first 100 days, it's hard to say,” Curry commented.
“President-elect Biden has to complete the transition of power for the executive branch, which involves a lot of people and processes to go right.”
“There’s no guarantee that there won’t be landmines and scorched earth from the Trump administration making that difficult,” he added.
American Rescue Plan
The Biden-Harris administration's American Rescue Plan of early economic policies pledges to modernize federal IT systems to defend against cyber-attacks, such as the recently discovered SolarWinds assault.
The administration wants Congress to allocate $9 billion to expand and improve the Technology Modernization Fund, authorize a separate program for hiring, and allocate an addition $690m to improve security monitoring and incident response.
Independent experts warned that the administration should be careful to avoid falling into the trap of defending against the last big threat.
Sean Sullivan, a security advisor at F-Secure and political science graduate, told The Daily Swig: "I hope the Biden administration doesn’t fall into the all-too-common trap of defending against the last known threat."
Sullivan explained that a great deal of effort and resources was focused on defending the 2020 US election, which was "definitely important, but I can’t help but think that it took away from other areas".
"And now, because of the SolarWinds snafu, too much over correction will kick in and the system will focus on supply chains to the exclusion of many other threats," Sullivan said.
"It feels similar to when Sony’s PlayStation Network was hacked in 2011. Sony companies then focused on protecting customer data. But then in 2014, Sony Pictures Entertainment learned (the hard way) that its own data was also important to secure. We’re probably due another Sony hack of some kind."
This story was updated to add information about the Biden-Harris administration's American Rescue Plan and comment from F-Secure's Sean Sullivan