Biden Wants to Reboot America’s Cyber Defenses

U.S. President Joe Biden has had a rough couple of years on the cyber frontier. He inherited a massive hack that hit dozens of federal agencies, uncovered weeks before he took office, followed by two ransomware attacks that extracted more than $15 million from America’s largest oil pipeline and the world’s biggest meat producer (only a fraction of it was recovered), followed by a year spent helping protect Ukraine’s digital environment from Russia, the country linked to all three of those incidents. Now, Biden wants to make sure the second half of his term is less eventful than the first.

The administration’s National Cybersecurity Strategy, released to the public on Thursday, lays out a plan to “use all instruments of national power to disrupt and dismantle threat actors whose actions threaten our interests,” including diplomatic, financial, and military responses. “We have a duty to the American people to also double down on tools that only government can wield, including the law enforcement and military authorities to disrupt malicious cyber activity and pursue their perpetrators,” Kemba Walden, the acting national cyber director, told reporters on Wednesday.

Multiple former officials and experts commended the document as a groundbreaking step forward in shoring up U.S. cyber defenses—providing a clear vision and plan for government and the private sector alike. “This is, I think, the best cybersecurity strategy the government has ever produced,” said Jonathan Reiber, vice president of cybersecurity strategy and policy at software company AttackIQ, who served as chief strategy officer for cyber policy in the office of the U.S. Secretary of Defense during the Obama administration. “This is not rhetoric—this is like measurable technological and economic outcomes that they’re looking for. And that is really what’s required when we’re talking about changing the cybersecurity landscape.”

The strategy, building on similar goals set out by the Trump administration in 2018, reflects a more aggressive approach to thwarting cyberattacks taken by agencies such as the FBI, which—in the past year—has taken down a massive cyber operation linked to Russian intelligence services and prevented one of the world’s biggest ransomware groups from collecting more than $130 million from its victims.

Biden’s new document rests on five key pillars: defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to improve resilience, investing in next-generation technologies, and forging international partnerships.

The Biden administration is calling for greater coordination between federal agencies to disrupt cyber attackers; the blurring of lines between cybercriminals and nation state cyber attackers—the focus of the FBI and U.S. Defense Department, respectively—has been accelerated by the war in Ukraine. The strategy aims to “develop technological and organizational platforms that enable continuous, coordinated operations,” expanding the capacity of the National Cyber Investigative Joint Task Force “to coordinate takedown and disruption campaigns with greater speed, scale, and frequency.”

Ransomware, previously seen as a criminal activity, has now become a crucial pillar of cyber defense with the targeting of critical infrastructure, such as water supplies, pipelines, and hospitals. “We are looking at the ransomware problem as a national security threat,” a senior administration official told reporters on Thursday.

Biden’s strategy also lays greater emphasis on the private sector through collaboration and regulation—floating minimum cybersecurity requirements for certain sectors and greater liability for tech companies that release vulnerable software—as well as greater coordination with allies to thwart attacks perpetrated by adversaries such as China, Russia, Iran, and North Korea.

The policy reflects a more proactive government approach to defending U.S. cyberspace than in previous administrations, but it’s also a recognition of the limited role that the government plays in countering digital threats. “The government is in charge of different parts of the federal enterprise, but [it’s] not in charge of the states, not in charge of business or any nonprofit organizations,” said Bob Gourley, chief technology officer at the strategy and risk management firm OODA and a former chief technology officer at the Defense Intelligence Agency. He consulted with the administration on earlier drafts of the new strategy and said the key will be convincing corporations and the public of the gravity of the threat. “What’s going to make the biggest difference is convincing people how important this is,” he said.

The other big question is how—and how quickly—it can be implemented. Adding new regulations will likely require wrangling in Congress, and overhauling cybersecurity requirements on the private sector could engender some pushback from companies. Measures floated by the government include increased accountability for companies that control large amounts of user data, establishing cybersecurity standards for software makers to adhere to, and providing “safe harbor” provisions for companies that adhere to those standards.

“Clearly that’s going to be an area where the details are going to matter, and finding consensus is going to be a significant area that needs a lot of deliberate focus,” said Brendan Peter, vice president of global government affairs at cybersecurity ratings firm SecurityScorecard. An implementation plan for the strategy will be made public in the coming months, a senior administration official said Wednesday.

Reiber said, however, that the private sector is now far more receptive to cyber regulation than it has been in the past, with the war in Ukraine really crystallizing its role in the cyber defense landscape.

“All the Big Tech companies have been tremendously helpful in helping the Ukrainian people build a more robust and secure digital infrastructure,” Reiber said. “So they are acutely aware of the threats that are out there and what needs to be done to mitigate them. We’ve seen a much deeper hand-in-glove approach between the federal government and the technology sector in the last four or five years. They’ve had to become allies in the struggle against nation state threats.”

Another notable aspect of the administration’s new strategy is its focus on China after a half-decade or more spent fending off cyber mischief from Moscow, including those attacks mentioned earlier and Russia’s interference in the 2016 and 2020 U.S. elections. Soon after the Russia-linked SolarWinds hack that affected several government agencies, a massive global hack of Microsoft email servers was blamed on Chinese government attackers by the Biden administration and its allies. That attack found a mention in this week’s strategy document, which described China as “the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

The recognition of China as the primary strategic threat is echoed across branches of government, including the Pentagon.

“China first, Russia always,” Col. Candice Frost, commander of the Joint Intelligence Operations Center at U.S. Cyber Command, said at a cybersecurity event this week. “We really have to continue to keep our eye on China and the work that they’re doing, even though we spend an inordinate amount—and rightly so—of time looking at Russia.”

Reiber said the Biden administration has struck the right tone and balance between the Russian and Chinese threats. “They take a much more geopolitical view towards what China’s going to be doing in cyberspace over the long term, and I think that’s exactly right,” he said. “Anyone who’s been doing federal national security or cybersecurity for the last seven years at minimum has been focused intensely on Russia, but what they’re saying strategically is our principal concern is China over the long term, and I think that’s also very important.”

Intensifying cooperation with partners and allies will be key to thwarting cyber adversaries, Gourley said, comparing the push to the Five Eyes intelligence-sharing alliance between the United States, United Kingdom, Canada, Australia, and New Zealand created during World War II.

“Well, we need far more than just five countries now working on cybersecurity, so what does that regime look like?” Gourley asked. “We’re going to need, in the implementation plan, to see what kind of treaty organization could we stand up—like the cyber version of Five Eyes.”