What a Joe Biden Presidency Means for CybersecurityAnalysis: Expect a Renewal of Some Obama-Era Approaches and Coordination Levels
President-elect Joe Biden's approach to cybersecurity appears likely to mirror that of his old boss, former President Barack Obama. Expect Biden's White House to increase pressure on Russia, practice greater involvement in cybersecurity and foster high levels of coordination around all things cyber.
See Also: Top 50 Security Threats
The integrity of voting was of primary concern in the weeks leading up to the election, but cybersecurity was hardly mentioned on the campaign trail. Instead, the COVID-19 pandemic, a devastated economy and tense race relations took center stage.
The new administration has already signaled what some of its top priorities will be - including healthcare, the economy, racial equality and the climate crisis.
We are preparing to lead on Day One, ensuring the Biden-Harris administration is able to take on the most urgent challenges we face: protecting and preserving our nation's health, renewing our opportunity to succeed, advancing racial equity, and fighting the climate crisis.— Biden-Harris Presidential Transition (@Transition46) November 8, 2020
Biden's administration will also have to handle looming cybersecurity challenges and manage aggressive adversaries. The Democratic Party's 2020 platform, approved in August, calls for the Biden administration to "maintain American capabilities that can deter cyber threats," as well as to work with other countries and the private sector "to protect individuals’ data and defend critical infrastructure, including the global financial system."
Biden has prior experience with confronting Russia diplomatically over its online attack activity. Also expect his Justice Department to continue to exert pressure on China to deter its cyberespionage activities.
Cybersecurity Policy Coordination
Another likely move for the new Biden administration will be to restore some of the organizational cybersecurity structures that Trump's administration excised, says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.
Lewis says that could include giving the White House a bigger role in coordinating cybersecurity policy and reining in agencies such as U.S. Cyber Command, which he says has encroached on the U.S. Department of Homeland Security's turf.
The administration could also reverse some cybersecurity moves made by the Trump administration. In May 2018, the White House eliminated the top cybersecurity coordinator role, which was held by Rob Joyce, who has since returned to the National Security Agency to serve as senior adviser for cybersecurity strategy to the agency's director.
The elimination of Joyce's role in 2018 puzzled many experts, given the importance of cybersecurity and the challenge it continues to pose. The move came just 16 months after the FBI, CIA, NSA and Director of National Intelligence concluded Russian President Vladimir Putin personally ordered an extensive cyber interference campaign before the 2016 election (see: White House Axes Top Cybersecurity Job).
The importance of cybersecurity has continued to escalate since Biden last served in a government role - as Obama's vice president from 2008 to 2016 - and so have U.S. capabilities.
So far, it's unclear what Biden's approach to offensive cyber operations might be. In August 2018, Trump signed a controversial executive order that revoked a set of Obama-era guidelines for offensive cyber operations. By doing so, Trump intended to make it easier for U.S agencies to launch online attacks or disruptions targeting other countries (see: Trump Pulls Gloves Off on Offensive Cyber Actions). Reportedly, Gen. Paul Nakasone, who leads both U.S. Cyber Command and the NSA, has dramatically increased the pace of attacks as part of a strategy of “persistent engagement,” “defending forward” and “hunting forward,” Wired recently reported.
While national security experts say the U.S. needs offensive cyber tools, some questioned whether relaxing the rules of engagement might lead to an escalation in conflicts with Russia. But another point of view was that a failure to fully engage adversaries in that arena had already led to an escalation - at the expense of the U.S.
Hard Line on Russia
Biden has indicated he will keep pressure on Russia, particularly regarding any attempt to interfere in U.S. political processes, including, of course, elections.
On July 20, Biden said that, if elected, he would "make full use of my executive authority to impose substantial and lasting costs on state perpetrators."
Biden added: "If elected president, I will treat foreign interference in our election as an adversarial act that significantly affects the relationship between the United States and the interfering nation's government."
The Biden team had also signaled its awareness of the increasing importance of cybersecurity - not least for securing modern U.S. election campaigns - via multiple hires. After the departure of the campaign's CTO, Dan Woods, for example, the campaign split his role in two. Michigan state CISO Chris DeRusha was hired in July to serve in a new CISO role, including protecting the integrity of the campaign's networks and data. DeRusha previously managed automotive giant Ford's enterprise vulnerability management and application security programs, and he served as Obama's White House senior cybersecurity adviser from 2015 to 2017.
Also in July, the campaign hired as CTO Jackie Chang, a senior technologist at Schmidt Futures - a philanthropic firm run by former Google executive Eric Schmidt. She'd previously worked as a software engineer for Hillary Clinton’s 2016 campaign and on the Democratic National Committee software team during the 2018 midterm election.
Biden is also no stranger to confronting Russia on cyber issues. When it became clear Russia was mounting an interference campaign prior to the 2016 presidential election, Biden - then vice president - vowed the U.S. would use its cyber capabilities to send Russian President Vladimir Putin a "message."
"He'll know it," Biden told NBC's "Meet the Press" in October 2016. "And it will be at the time of our choosing. And under the circumstances that have the greatest impact."
Trump refused to consistently acknowledge Russia's efforts to influence the 2016 election. A subsequent special counsel investigation led by Robert Mueller resulted in indictments against Russian nationals for participating in interference but produced no evidence showing that Trump or his team directly assisted Russia with its alleged crimes (see: Mueller's Investigation Finds No Trump-Russia Conspiracy).
How might Biden craft his China policy?
"I don't see changes in the approach to China," CSIS's Lewis says. "Less ad hoc, but the same general direction."
On the cyber front, the U.S. government seems to have had a steady hand in recent years with its approach to China. During the Trump administration, the Department of Justice continued to take cyberespionage and data theft cases to grand juries, often resulting in indictments against members of China's military (see: 4 in Chinese Army Charged With Breaching Equifax).
The chance of a member of the Chinese military ever appearing in a U.S. courtroom remains slim. But officials say the indictments send a message to China and Russia - in short: "back off" - while also demonstrating the digital forensic prowess of the U.S. intelligence apparatus (see: Analysis: The Significance of Russian Hackers' Indictment).
Praise for CISA
One widely lauded cybersecurity move during Trump's term was the creation of the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security.
In November 2018, Trump signed a law creating CISA, which is tasked with securing government computer networks and critical infrastructure and serving as an early warning system for the private sector over emerging threats such as ransomware and nation-state attacks.
CISA is led by Christopher Krebs, who has proved he has a steady hand on the tiller as election-related cyberactivity from Iran and Russia rose in the weeks leading up to Election Day. Krebs sought to get in front of misinformation about the election results, assuring the public that the integrity of voting had not been compromised (see: Election Security: A Progress Report From CISA's Krebs).
My first recommendation for the next Administration is to figure out a way to keep @CISAKrebs. Pretty common for such folks to leave at the end of the admin; but he did his job and didn't play politics about it. He focused on restoring confidence in the vote.— Robert M. Lee (@RobertMLee) November 8, 2020
Krebs is a political appointee, which means he could be replaced by the incoming Biden administration. But as Robert M. Lee, CEO of industrial IoT security company Dragos, points out in a Sunday tweet, Krebs' nonpartisan approach to CISA would make him a good person to retain.
Because this much is already clear for the incoming Biden administration: The job of cybersecurity isn't going to get any easier.
Executive Editor Mathew Schwartz contributed to this story.