Cybersecurity in Biden’s era
With President’s Day here, the 18th nationally appointed cybersecurity awareness month behind us, and Joe Biden’s presidency at its midpoint—let’s review how the president has addressed cybersecurity challenges in the United States.
National security is at the top of any U.S. president’s agenda. In the past couple of decades, with the ever-increasing dependency on technology, cybersecurity has quickly become one of the main concerns and one of the quickest issues to address after inauguration.
In 1999, Bill Clinton issued an executive order to establish the National Infrastructure Assurance Council (NIAC) “to support a coordinated effort by both government and private sector entities to address threats to our nation’s critical infrastructure.” Soon after, George W. Bush’s administration addressed the need for greater involvement of the private sector and better coordination between government agencies with the Critical Infrastructure Protection in the Information Age executive order.
As technological advances picked up, subsequent U.S. presidents had to devote more and more attention to protecting the country’s cyberspace. As Barack Obama mentioned in a 2009 speech, “America’s economic prosperity in the 21st century will depend on cybersecurity […] cyber threat is one of the most serious economic and national security challenges we face as a nation.”
Obama’s cybersecurity plan speech re-emphasized and strengthened the coordination between federal agencies and the involvement of state, local and private sector entities. It also recognized that cybersecurity starts in citizens’ homes and offices, so great attention was given to “cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century.”
The Cybersecurity Act of 2015 and the Cybersecurity National Action Plan (CNAP) of 2016, accompanied by important investments of financial resources in cybersecurity, were some of the results of these efforts.
When Donald Trump took office, he too recognized the protection of cyberspace as one of the most pressing issues; in 2018, he signed the “National Cyber Strategy” to “treat cyberspace [not] as a separate arena […] integrating cyber into all elements of national power [and advancing this approach] by structuring the National Cyber Strategy around the four pillars of the National Security Strategy.”
Biden’s transition efforts on cybersecurity
The transition from cybersecurity in Trump’s administration to Biden’s saw the new president quickly face the need to put cybersecurity at the top of his agenda after taking office. Several high-profile attacks (Microsoft Exchange UCGs, SolarWinds, the meat processing company JBS, software firm Kaseya and the Colonial Pipeline company) showed how they could affect fuel and food supplies and even go undetected for weeks.
In the aftermath of the discovery of the Solarwind attack, the then president-elect Biden quickly affirmed that “a good defense isn’t enough; We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place […] We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks” giving an idea of what would be the approach in the coming months.
Biden’s cyber agenda to defend the nation
President Biden is making cybersecurity a priority. Since the early days of his tenure, he has hinted at a more robust national framework and indicated that the most vital action is to “modernize our cyber defenses and enhance the nation’s ability to quickly and effectively respond to significant cybersecurity incidents.”
In the first 100 days of his presidency, he issued several executive orders that reflected this commitment. He signed EO 14024 in April 2021 to respond to specific threats identified as the actions of the Russian Federation (including the Solarwind attack). The president declared that this constituted “an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States,” declared a national emergency to deal with that threat, and imposed restrictions.
Soon after, in May 2021, a new Cybersecurity Executive Order more specifically addressed how to improve cybersecurity in the U.S. The president’s Executive Order (EO) 14028 – “Improving the Nation’s Cybersecurity” has new provisions for strengthening America’s critical infrastructure against hacking or ransomware by implementing the necessary measures that would combat cyber-enabled crimes and protect digital assets (computer networks, data and people) from successful attacks by adversaries.
Biden’s EO 14028 measures to improve cybersecurity
The order touches on concepts brought up by former presidents, including the need for strong cooperation between the government and the private sector; the latter is called to adapt quicker to the ever-changing threat environment and provide products and services able to withstand the newest attack vectors.
President Biden also calls specifically for “bold changes and significant investments” to modernize the governments’ cybersecurity practices to lead private companies by example, making “the prevention, detection, assessment, and remediation of cyber incidents a top priority and essential to national and economic security,” it is essential to protect the American way of life.
The executive order includes removing barriers to sharing threat information timely to ensure the quickest possible identification of issues. This resulted in a quick change of wording in all information technology (IT) and operational technology (OT) service providers’ contracts to standardize processes and highlight responsibilities in sharing info.
Other points included the importance of increasing the federal government’s visibility into threats while still ensuring the privacy of companies and citizens and protecting civil liberties. Modernization was another pillar of the executive order, with plans to include the implementation of a Zero Trust Architecture, the use of secure cloud services, and the investment in the education of personnel to operate these systems.
According to the executive order, federal departments and agencies will have a standardized playbook for cyber incident response, ensuring a more coordinated approach and the centralized cataloging of incidents. A Cyber Safety Review Board co-chaired by government and private sector leads would review and assess the most significant cyber incidents and make recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices.
More provisions in Biden’s agenda
As part of his cyber agenda, Biden did not only address issues through executive orders; he took several other steps to maximize America’s investigative and remediation capabilities, cyber readiness, resilience and capacity to detect, defend and deter cyberattacks to ensure a plan for recovery and business continuation.
The first step was the attempt to create a team of experienced cybersecurity leaders able to tackle the most pressing security challenges facing the nation and deliver on the president’s agenda:
- Chris Inglis, former National Security Agency Deputy Director, was appointed as the new National Cyber Director (NCD).
- Jen Easterly, a prior NSA intelligence officer, was nominated to lead the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
- Anne Neuberger, a former Cybersecurity Director at the National Security Agency, was selected as the Deputy National Security Adviser for Cyber and Emerging Technology on the National Security Council.
- Robert Silvers, prior DHS’s Deputy Chief of Staff, is named as Undersecretary for Cyber Policy at the Department of Homeland Security (DHS).
- Clare Martorana, former CIO of OPM, was nominated as the Federal Chief Information Officer (CIO) and Administrator of the White House Office of Management and Budget.
- Chris DeRusha, a prior top cyber official, was picked to fill the Federal Chief Information Security Officer (CISO) role.
Each of these appointed cybersecurity professionals serves as the principal advisor to the President on cybersecurity issues and has a key role in ensuring the government’s capability to increase its cyber resilience and create more robust policies.
In January 2022, Biden signed into law the State and Local Government Cybersecurity Act (S. 2520) that provides for collaboration between the U.S. Department of Homeland Security and State, Local, Tribal and Territorial (SLTT) governments (as well as corporations, associations and the general public) to share information and resources to help them prevent and recover from cyberattacks.
In March 2022, a statement by President Biden on the nation’s cybersecurity reiterated the intention to continue using all the necessary tools to deter, disrupt and respond to cyberattacks against critical infrastructure, calling on the private sector’s responsibility to secure their systems and share incidents’ information timely. It also encourages the immediate use of several identified steps, including mandatory multi-factor authentication, a robust patching program, offline backups, strong encryption and strong cyber awareness education programs.
Public Law No: 117-149 was passed in June 2022 as the Federal Rotational Cyber Workforce Program Act of 2021 (S.1097); this legislative bill establishes a rotational cyber workforce program. Certain federal employees may then be detailed among rotational cyber workforce positions at other agencies.
In September 2022, the Department of Homeland Security announced that, through the Bipartisan Infrastructure Law, $1 billion of funding was made available for the first time to state, local and territorial partners over four years.
What’s next for Biden’s cyber policy and strategy?
Cybersecurity remains a growing concern. Accordingly, President Biden has made this one of the White House’s main policy concerns due to several alarming cyberattacks. The president’s executive order, broadcasted in May 2021, helps move the federal government to secure cloud services and a zero-trust architecture to help reduce the threat of breaches and attacks. Its provisions are bound to impact for years to come in protecting the federal networks, data and critical infrastructure on which so many Americans rely.
However, much more is likely needed to face the newest challenges posed by politically-adverse nation-states and malicious hackers.
The national security strategy released in early October 2022 briefly addresses the need to secure American cyberspace and its critical infrastructure, identifying power grids and pipelines as possible targets of countries aiming at weakening the U.S. by interfering with the delivery of essential services to citizens.
However, a more specific cybersecurity strategy document will probably need to tackle the need to protect critical infrastructure more aggressively, the gaps in the cybersecurity workforce and the possible imposing of stricter cyber requirements on private sector companies dealing with the government or handling privacy data.
- FACT SHEET: Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity, The White House
- FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, The White House
- Biden’s Infrastructure Bill: What Does It Mean for Cybersecurity?, Dice
- Biden-Harris Administration Announces $1 Billion in Funding for First-Ever State and Local Cybersecurity Grant Program, DHS.gov
- Biden’s Top Cybersecurity Officials, Explained, WSJ Pro Cybersecurity
- Statement by President Biden on our Nation’s Cybersecurity, The White House
- Statement by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger on SolarWinds and Microsoft Exchange Incidents, The White House
- Executive Order 13130, Government Publishing Office
- Executive Order 13231, CISA
- President Obama on Cybersecurity, The White House
- President Trump Unveils America’s First Cybersecurity Strategy in 15 Years, The White House
- National-Cyber-Strategy, The White House
- A Proclamation on Cybersecurity Awareness Month, 2022, The White House