President Joe Biden made cybersecurity a top priority for his administration even before he took office last month.
In December, shortly after threat researchers disclosed the SolarWinds hack that hit upwards of 250 government agencies and major tech companies, Biden pledged to “make dealing with this breach a top priority from the moment we take office.”
“My administration will make cybersecurity a top priority at every level of government,” the then-president-elect said in a statement.
However, Biden’s emphasis on cybersecurity goes deeper than SolarWinds. “This was part of his campaign platform. It’s not just something that’s purely reactionary or politically motivated,” said Lee Feldman, a strategy development manager for M12, which is Microsoft’s corporate venture arm. “It was legitimately one of the things that he ran on, and some of his key personnel moves are good indicators of how big of a priority cybersecurity is going to be under the Biden administration.”
Since his inauguration, Biden’s tapped several cybersecurity veterans with both public and private sector experience to fill posts that been eliminated under the Trump administration, and earmarked about $10 billion dollars for various cybersecurity initiatives.
“It highlights how cyber is one of [Biden’s] top three priorities,” VMware’s Head of Cybersecurity Strategy Tom Kellermann said. Kellermann also sits on the U.S. Secret Service’s inaugural cyber investigations advisory board and he served on Obama’s cybersecurity commission.
“You have the COVID, you’ve got the economy, and you have cyber,” Kellerman said. “And you have a president who has really called out cyber for being an imperative as much as the previous regime literally went in there and gutted our cyber apparatus. … This is going to be the most pivotal year in American cyberspace. We will either win this fight to civilize American cyberspace, or we will lose it.”
And in this cyberspace battle, Biden’s already tapped several of his top generals.
Biden’s Cybersecurity SquadInsiders expect Biden to pick Jen Easterly, a former National Security Council official who now is head of resilience at Morgan Stanley, as his national cyber director to lead the newly created White House office that will coordinate cybersecurity operations for the federal government.
Last week, the administration appointed Chris DeRusha, a former Obama-era cybersecurity official, as the government’s new chief information security officer (CISO). DeRusha also worked for the Biden campaign to prevent a repeat of the 2016 Russian hacking fiasco.
Additionally, Dave Luber will serve as the NSA’s cybersecurity director in an interim manner, according to CyberScoop. Earlier this month Biden moved the most recent NSA cybersecurity director, Anne Neuberger, into the White House National Security Council where she will be the deputy national security adviser for cyber and emerging technology. Rob Joyce, the former NSA liaison officer in the U.K., will replace Neuberger.
In addition to Biden’s readiness to appoint top-level officials, it’s also encouraging to see two women play prominent cybersecurity roles under the new administration, said Kelvin Coleman, executive director of the National Cyber Security Alliance.
“We shouldn’t have to mention this in 2021, but I think the administration is really showing that there are a number of women out there who are absolutely leading in this area,” he said. “It’s about time that we put people with the appropriate ability in the appropriate place, no matter their gender — and hopefully race at some point.”
None of the appointees announced thus far are people of color.
Bolstering the Night’s WatchBiden also reportedly plans to nominate Rob Silvers, a former Obama administration DHS official, to be director of the Cybersecurity Infrastructure Security Agency (CISA), which oversees election security and protects federal networks and infrastructure from hacks. If he’s confirmed by the Senate, Silvers will replace Chris Krebs, who Trump fired after Krebs disputed Trump’s false claims about election fraud.
Other reports suggest Biden will name Eric Goldstein, another DHS veteran, to lead CISA’s Cybersecurity Division.
“I call them the dream team,” Kellermann said. “They are exactly what we needed to bolster the Night’s Watch to use a GoT reference. They are exactly what we need to counter the insurgency that is currently being waged in American cyberspace, because there was really an absence of leadership, aside from Krebs going out of bounds and fighting the good fight, under the previous administration.”
Kellermann also pointed to the recent Senate confirmations of Anthony Blinken to serve as secretary of state and Avril Haines to be the director of national intelligence. “These folks are very cyber savvy, as is the National Security Advisor [Jake Sullivan],” he said. “And they are not only are they cyber savvy, but they specialize in Russian policy and Russian everything,” which is important because Russian cyberattacks pose an urgent threat to national security, Kellermann added. “Right now we need to deal with Russia. Period.”
In his first call to Vladimir Putin last week, Biden confronted the Russian president about the SolarWinds hack, and most observers expect the new administration to take a harder stance on Russia, specifically, and nation-state cyberattacks overall.
Kellermann said he expects an uptick in sanctions against nation states for cyberattacks, and he predicts the government will get more aggressive in its efforts to seize digital currencies associated with cybercrime and espionage. “I’ve been advocating for the creation of a superfund for those forfeited assets in Treasury and using those monies to fund critical infrastructure projects in the U.S.,” Kellerman said. He also wants to see Congress “pass a law that would provide a tax credit for companies that invest a certain portion of their IT budgets in cybersecurity and also have a dedicated CISO.”
CISA ‘Put on Steroids’Now that the Biden Administration is re-engaging with the global community, Kellerman expects U.S. cybersecurity officials to work more closely with their foreign counterparts in allied nations, “and there will be a dramatic strengthening of NATO’s cyber capabilities.”
CISA under the new leadership will likely expand its threat hunting efforts beyond elections and federal network infrastructure and into critical infrastructure, Kellermann said. “I think CISA will be put on steroids.”
Of course, all of this requires investments, and to this end Biden proposed about $9 billion for CISA as well as a broad security upgrade across the federal government. Biden also wants to invest $300 million to build new secure technology programs at the General Services Administration, $200 million to recruit new cybersecurity technology and engineering expertise, and $690 million to improve security monitoring and incident response across the government.
“President Biden’s new proposal of a funding injection to shore up the U.S.’s cybersecurity capabilities should hopefully allow our country to better remediate some of the issues in improving security monitoring and incident response across the government,” said Stephen Moore, VP and chief security strategist at Exabeam.
However, cybersecurity is a major challenge that spans people, processes, and technology, and addressing it involves more than signing multi-million-dollar checks. It also requires a strategy and infrastructure refresh, and observers say Biden’s team is up to the task.
Cybersecurity Strategy Spanning People, Processes, and TechIn 2019, Congress established the Cyberspace Solarium Commission under the national defense spending bill and tasked it with developing a strategy to defend the U.S. against major cyberattacks. Last March it issued its report with more than 80 recommendations to implement a defensive strategy.
Just this month it issued a transition book for the Biden-Harris administration that suggests cybersecurity policies including three top processes that the commission said “will elevate cybersecurity as an imperative across the government and put the United States on a path toward reducing the probably and impact of cyberattacks against it.” The three process recommendations include establishing an office of national cyber director, developing a national cyber strategy, and improve existing government cybersecurity efforts by strengthening partnerships with the private sector.
“What’s encouraging about this is that it’s not just an ask for a call to throw money at issue,” Feldman said. “This is a well-rounded set of priorities across people, processes, and technology that will really help drive the change needed. … The issues with the fundamental IT system architecture within the government is so significant, and it has so many connections to cybersecurity, that we can’t look at these things in isolation. We really need to look at the bigger picture of what is the end-to-end strategy, what are the investments we need to make, and how do we sustain this in a non-political way that’s going to transcend this administration and set the foundation for future.”
Moving to Zero Trust SecurityFeldman said he expects much of the technology investment and strategy to focus on protecting government networks with a zero-trust architecture. “This is the concept of eliminating any trust from the network, and really scrutinizing any access into that network,” he said. “Essentially, it's figuring out what is the perimeter and protecting all angles of it."
The commercial sector has moved toward this more proactive approach to security in recent years, and it’s time the public sector follow suit, he explained. To this end, Feldman expects the government to invest across “the four pillars of zero trust:” identity management, conditional access, endpoint security, and application management.
“We need to move to the front lines, and start being hunters, finding these vulnerabilities before they happen,” Feldman said.
As the traditional network perimeter continues to disappear, it’s time to move beyond the government’s Einstein system and toward zero-trust networking, which will also help prevent against future supply-chain attacks like SolarWinds, said Eric Wenger, who leads Cisco’s security policy work.
“There is a growing recognition that [the Einstein] system kind of outlived its usefulness, because the way that we build and use networks now have has dramatically changed,” Wenger said. “And so the idea that you can sit on the perimeter and then watch all the traffic as it comes through is not effective if you have an adversary who is operating behind your lines and then making a horizontal attack. This is an opportunity for the government to make sure that the investment reflects the way that technology is currently being used and the threat surface that results from that.”
Which Cybersecurity Vendors Will Benefit?Of course, this also represents opportunities for vendors that provide zero-trust and DevSecOps tools as well.
As the government’s IT infrastructure becomes more cloud-based and agile, its security products must follow suit. DevSecOps tools, which embed cybersecurity controls and processes into DevOps, “give users the ability to manage their security operations in a more automated, agile, and streamline way, and it’s the same technology that’s enabling cutting-edge technology companies to do their work,” Feldman said.
In addition to DevSecOps vendors, Feldman expects identity management, conditional access, endpoint security, and application management companies to reap the benefits of a cybersecurity-focused administration.
“I can name a million companies that are innovating in these spaces — there’s so many,” he said. “But I think that the ones that are going to really see some of this opportunity are those with a desire for service, those that want to do business with the government to help the country and its citizens. And those who also recognize the opportunity and have the patience to go through those processes, and ultimately potentially reap very large, long-standing awards.”