Several cybersecurity issues will be among the many early priorities for the 46th president of the United States, Joseph Biden.
These include responding to recent cyberattacks believed to come from nation-states, reorganizing and reprioritizing cyber in Washington, and encouraging allies to adopt a more unified approach to issues like Internet governance and cyber norms.
However, one U.S. expert says the biggest task will be ensuring the bureaucracy remains focused on fixing the damage to government departments from the SolarWinds hack.
“Just the workaround network forensics and imaging, wiping and rebuilding potentially infected hosts will be an enormous task,” Adam Isles, principal and head of the cybersecurity services team at the Washington-based Chertoff Group, said in an interview. Isles was a U.S. representative on the G8 high-tech crimes experts group and worked on security planning in 2009 for the Obama inauguration.
“That’s going to require focus at three levels: Level one is remediation. We know Treasury, Department of Homeland Security, State and Defense appear to have been compromised.”
Level two should be looking at what the attack says about the government’s supply chain security. Software lifecycle security isn’t dealt with comprehensively under the National Institute of Standards in Technology (NIST) cybersecurity framework, Isles noted.
The third issue stemming from the attack is deciding when it’s proper for civilian government agencies to ask for help from the U.S. military’s Cyber Command and its resources.
He also raised the possibility that Biden will support federal personal data protections and privacy law covering the private sector. Right now, only states have privacy laws, and few are similar. “I would expect you’ll be seeing something from him in relatively short order on where we want to go on privacy,” Isles said.
“I’ve lived in D.C. [the District of Columbia] for 23 years and been here for previous inaugurations,” he added. “This city is locked down in a way not seen previously. It’s a statement around the amount of healing we need to do as a country over the next weeks and months.”
Christopher Painter, a former U.S. cyber diplomat who is now president of the Global Forum on Cyber Expertise, noted that after the SolarWinds attack was discovered, Biden said his administration would make cybersecurity a top priority at every level of government as soon as he enters office. Biden has suggested tougher penalties and fines for people executing cyberattacks.
By contrast, Painter highlighted how Trump allegedly told a cybersecurity advisor that he’d rather watch the Masters golf tournament and dismissed administration officials who blamed Russia’s cyberattacks, including SolarWinds.
Painter had been a coordinator for cyber issues at the State Department since 2011. He helped negotiate joint agreements with other countries on issues like protecting critical infrastructure and developing cyber norms until the Trump administration downgraded the office in 2017.
Oddly (or tellingly, depending on your position) in the Trump administration’s dying days, Secretary of State Mike Pompeo created a new Bureau of Cyberspace Security and Emerging Technologies (CSET) within his department, seemingly putting cybersecurity back in importance at State. Painter called the late move “bizarre.”
Painter also noted that as part of his promise to raise the profile of cybersecurity, Biden had resurrected the cyber coordinator position at the White House. He will also have a deputy national cybersecurity advisor, another new position. In addition, Congress recently mandated the creation of a new position of National Cyber Director.
As part of Biden’s proposed US$1.9 trillion economic recovery plan released last week, is $9 billion to launch major new IT and cybersecurity shared services programs at the Cyber Security and Information Security Agency (CISA) and the General Services Administration, and to complete modernization projects at federal agencies. That includes $200 million for hundreds of experts’ rapid hiring to support the federal Chief Information Security Officer and U.S. Digital Service.
On international issues such as internet governance and cyber norms of behaviour, Isles says he believes Painter expects a Biden administration to work closely with allies in several forums, including the United Nations, the European Union and NATO.
“One thing that complicated my old office’s efforts is even though people (in other countries) would work with us on cyber issues, we were pissing off a lot of our allies on other issues. That doesn’t help. It puts us in a better posture if there is a view of trying to build alliances on shared threats on every issue, and that helps on cyber.”
But, Painter is adamant that the country also has to “think about how to hold bad actors accountable.” That means possible cyber retaliation. In that, a Biden administration will follow the Trump administration policy and the Obama administration’s, he says.
Painter and Isles also agreed Biden will continue the Trump administration’s concern about network equipment from Chinese manufacturers being a backdoor into American government departments and companies. The Trump administration passed regulations last year prohibiting the sale of certain U.S. chips to Chinese companies and effectively banned Huawei from commercial telecom networks.
The U.S. has been pressuring NATO allies to do the same under the threat of cutting off intelligence sharing. This poses problems in Canada, where two Canadians have been imprisoned for over two years after Huawei’s chief financial officer was held for extradition to the U.S. That has held up this country’s decision to allow wireless carriers to buy Huawei equipment.
Asked if Biden understands the situation, Painter says at the very least the new administration will raise its technology concerns. “At the end of the day, it’s going to be Canada’s decision,” he added. “The U.S. won’t force Canada to do anything no matter who’s in office. But I think it’s appropriate to have discussions and share our concerns.”
What it means for Canada
Christian Leuprect, a professor at Canada’s Royal Military College and Queen’s University, and an expert on national security and related issues, says the Biden administration likely won’t make a difference on cyber diplomacy. Beyond the U.N. Group of Experts’ efforts to find a consensus on internet governance, he says, there’s no movement on an international pact due to intransigence by China and Russia.
However, he says he thinks Biden may be able to find a consensus among Western nations on norms of behaviour in cyberspace — something like, ‘cross this line, and there will be consequences’ — such as forbidding attacks on COVID-19 vaccine supply chains as well as on critical infrastructure.
Allies hope that the Biden administration can stop both Republicans and Democrats from leaking sensitive intelligence from partner nations to score political points, he added. “This seriously hampers intelligence collaboration with allies and partners if you can’t trust the Americans,” he said.
As for Huawei, Leuprecht says it’s still unknown if Biden will force Canada to decide soon on allowing carriers here to use Huawei equipment in their 5G networks. Although all carriers have picked other providers, the networks being built now aren’t true 5G, meaning carriers could still turn to the company.
Asked if Biden understands Canada’s non-decision on Huawei so far, Leuprecht noted there is bipartisan support in the U.S. Congress that allies should ban Huawei.
But, he adds, he believes there is understanding, particularly because Canada is being squeezed following a U.S. extradition request. That leads him to suspect the Biden administration will put “subtle” pressure on Canada.