Washington Needs a Cybersecurity Overhaul
When they enter office, Biden and Harris must make up for lost ground.
As made clear by the revelations this week about suspected Russian hacks into various federal agencies, U.S. President-elect Joe Biden and Vice President-elect Kamala Harris face a daunting task when it comes to cybersecurity. Nine years ago, as vice president, Biden delivered remarks advocating for a free, open, and secure Internet while highlighting the need to protect against the cyberthreats targeting Americans daily.
Years later, the dangers are ballooning in scope and size, authoritarian governments are gaining ground in their efforts to control the Internet for their citizens, and the administration of U.S. President Donald Trump has downgraded the country’s cyberdiplomacy efforts. But as a new report from the think tank Third Way, where one of us is deputy director, makes clear, there are things Biden and Harris can do to strengthen and protect the United States.
There is no shortage of research that highlights the different cyberthreats faced by the United States. Much of the discourse has focused on threats posed by nation-states, such as Iran and Russia, to the United States’ critical infrastructure, including its election systems. All this is, of course, important. But there is perhaps no threat that has a greater impact on all aspects of American society on a daily basis than cybercrime. According to polling, 1 in 4 American households has been impacted by some form of cybercrime, and, according to Third Way, only 3 in 1,000 of these cybercrime incidents ever see an arrest of the perpetrator.
Biden and Harris understand all this. As a senator, Biden pushed for more resources to fight cybercrime. And as vice president, he took a forceful stand against intellectual property theft, pushed for more global cybersecurity cooperation, and supported efforts to bolster the ranks of the United States’ cybersecurity workforce. Harris has also been a strong champion of cybersecurity and technology policy issues in the Senate and, as California attorney general, launched the state’s cybercrime center.
Now, at the top of the U.S. government, they’ll have to make up for lost ground. Under the Trump administration, the U.S. government did pursue a comprehensive approach that yielded some success in imposing consequences for cybercrime and building new partnerships with foreign governments to combat state cyberterrorism. The Department of State, in particular, has taken a leading role in these efforts, and the hardworking women and men left at the department should be commended. But this work was, in some cases, undermined by Trump and his allies. Where former U.S. President Barack Obama often raised cybersecurity issues in his discussions with other leaders, leading to increased cooperation and dialogues, Trump preferred to ignore the issue.
The Trump administration also downgraded the United States’ architecture for handling international engagement on cyberthreats, which are typically global in scope and require an unprecedented level of cross-border cooperation. The Trump administration downgraded the Office of the Coordinator for Cyber Issues at the State Department, which was established by former Secretary of State Hillary Clinton and led by one of the authors. The United States was the first country to establish such a senior-level position to spearhead its global cybersecurity engagement. Downgrading the post eliminated its direct connection to the secretary of state and sent a signal to the United States’ allies, partners, and adversaries alike that cyberdiplomacy is not a top priority for the U.S. government. The Trump administration has also proposed cuts to critical programs at the State Department aimed at boosting the cybersecurity capacity of other countries.
There are plenty of things the Biden-Harris administration can do immediately to reverse course and deal with evolving cybersecurity challenges.
First, the new secretary of state should establish an office of international cyberspace policy led by an experienced official with the rank and status of ambassador to restore the United States’ global leadership on cyberdiplomacy. The office will need the authority to coordinate all aspects of international diplomacy related to cybersecurity policy issues—instead of each bureau pursuing its own goals in this area. Congress has introduced legislation to establish such an office, but it has languished amid fights between the Trump administration and Capitol Hill. The Biden administration should revive the effort in its first 100 days.
Second, the Biden-Harris administration should build an explicit strategy for repairing the global alliances that have been weakened under the Trump administration and for advancing diplomacy related to cybersecurity priorities. The administration should build on successful aspects of prior cybersecurity engagement strategies by formally assessing what is working and what is not. Because cybercrime has largely not received attention in previous strategies, it must be one area of central focus. The new strategy should also lay the groundwork for the U.S. government to play a more strategic and productive role in its engagement with international organizations, including the United Nations, on these issues. This will be particularly critical as the U.S. government decides how to engage in negotiations on a new cybercrime treaty pushed by Russia and in continued debates on cybersecurity norms.
Third, Biden and Harris should be prepared to put cybersecurity issues on the agenda in meetings with other heads of states and ministers. They’re too often dismissed as the province of technical experts, but they are, in fact, core issues of national security, economic prosperity, human rights, and, ultimately, foreign policy. There is no better way to mainstream cybersecurity than having it on the agenda when the president and vice president meet with their peers. At the heart of this engagement, the U.S. government must also commit to living by the cybersecurity norms it is promoting and work to enforce those norms when they are violated.
Fourth, the new administration must evaluate how cybersecurity sanctions can be employed more strategically and consistently. Since Obama first instituted a cybersecurity-related sanctions regime five years ago, sanctions have become an often-used tool to punish hard-to-reach malicious actors. But they are not always applied in a way that would change a bad actor’s calculus, and—even worse—are undermined by contrary messaging. The time is ripe to reassess those sanctions and determine whether they might be more effectively employed.
Fifth, the incoming administration should prioritize global cybersecurity capacity building in its budget and make sure adequate resources are provided to determine the impact. Some countries lack the ability to conduct investigations into cybercrime and other cyberactivity. While the U.S. government has provided foreign aid to help address these capacity gaps, the State Department has not seen a big boost in these resources by Congress despite the proliferation of the threats. Additionally, as the outgoing chair of the House Foreign Affairs Committee, Eliot Engel, and ranking member Michael McCaul highlighted last year, the department has little ability to assess, monitor, or evaluate whether the funding is making a difference. The State Department needs a comprehensive framework to allow it to better monitor its efforts.
Lastly, the Biden administration should prioritize reforms to the mechanisms the U.S. government uses to share and request cross-border data. Washington needs healthy partnerships with other countries and the private sector to help investigate, arrest, prosecute, and, when warranted, extradite criminals operating outside U.S. jurisdiction. But processes for foreign governments to request the data held in the United States that is needed for such cooperation remain too slow and cumbersome. Attempts in recent years to overcome these challenges might have some impact but are expected to be limited in scope. It will be critical for the attorney general to prioritize negotiations and further reforms aimed at making cross-border data-sharing more efficient.
Biden and Harris will be faced with an endless array of national security threats and a U.S. foreign-policy machine in dire need of repair. They will have to make tough decisions about what to prioritize, but will have no choice but to take on the cybersecurity threats that continue to endanger U.S. national, economic, and human security. The challenges in addressing these threats are (seemingly) intractable, but Biden and Harris’s records demonstrate that, with their strong leadership, progress is possible.
Chris Painter was the U.S. Department of State’s first coordinator for cyber issues from 2011 to 2017 and a former federal cybercrime prosecutor.