Cyber & Tech

As cyber threats mount, including disinformation campaigns, election interference, and hacks on critical services and technology, the Biden administration has promised to make cybersecurity a top priority. Through a series of executive orders, the former Trump administration made notable moves to develop standards for cybersecurity risk management across various industries, expand domestic 5G infrastructure, limit risks from foreign technology providers—notably China’s Huawei—and expand the cyber-workforce. But the former administration also appeared to undercut some of its own gains amid the progress. It eliminated the cybersecurity coordinator role on the National Security Council (NSC), downgraded the Office of the Coordinator for Cyber Issues at the U.S. Department of State and fired the former director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, as the former president doubled down on false claims of election interference. By the end of his term, in a survey conducted by Cybersecurity 2020, 71 percent of cybersecurity professionals felt that the former administration had taken the U.S. in the wrong direction on cybersecurity.

Following the SolarWinds and Microsoft email server hacks, considered the largest and most sophisticated cyberattacks ever perpetrated, the U.S.’s cyber strategy has come under increasing scrutiny. The attacks highlighted weaknesses in the U.S. Cyber Command’s “defend forward” approach, particularly as the intelligence community (IC) failed to detect the massive hack until a private company, FireEye, notified affected parties. Secretary of State Antony Blinken has pinpointed China, Russia, Iran, and North Korea as ongoing critical cyber threats to the U.S. In July 2021, Australia, the EU, New Zealand, North Atlantic Treaty Organization (NATO) members, and Japan formally attributed the Microsoft Exchange hack to China, and for the first time in seven years, the U.S. and its allies have published a cyber approach to hold nations accountable in cyberspace, including intelligence sharing on cyberthreats and collaboration on network defenses and security. In addition to China, U.S. Ambassador to Russia John Sullivan said that while a majority of the focus has been on election interference, the U.S. faces a larger threat from aggressive cyber activity by elements of the Russian government. In a report published by the Office of the Director of National Intelligence (ODNI), the IC raised concerns regarding Russian supply chain operations against U.S.-based IT firms and growing investments in research and development by China and Russia in emerging technologies such as computing, biotechnology, and artificial intelligence (AI), which the IC warns “can be economically, militarily, and socially destabilizing.”

With cyber and technology security increasingly characterizing Great Power competition among China, Russia, and the U.S., President Biden has created new cyber-focused roles across the federal government. Former National Security Agency (NSA) Director of Cybersecurity Anne Neuberger is serving in a new position in the White House as Deputy National Security Advisor for Cyber and Emerging Technologies. Neuberger will join the National Security Council (NSC) in an advisory capacity and will play a leading role in the government’s investigation and response to the SolarWinds hack. Such responses include sanctions that the administration has imposed on Russia for its alleged cyberespionage activities with respect to SolarWinds and efforts to disrupt the U.S. election, as well as several executive orders that President Biden is preparing in order to address the country’s cybersecurity shortcomings. Through the 2021 National Defense Authorization Act (NDAA), Congress also created the Office of the National Cyber Director (ONCD) within the Executive Office of the President. Chris Inglis, a principal at WestExec Advisors who served as the former NSA deputy director, has been confirmed to the post as of June 2021.

The national cyber director (NCD) will hold a seat on the NSC and will be the president’s senior advisor on cybersecurity except for offensive and intelligence cyber-operations and programs. Working closely with Neuberger, National Security Advisor Jake Sullivan, and Biden’s CISA director Jen Easterly will serve critical leadership roles in coordinating an integrated response by federal departments, agencies, and the private sector against cyberattacks and campaigns. Neuberger would play a key role in developing options to respond to an attack by a foreign adversary, potentially including offensive cyber-operations. Although President Biden criticized the Trump administration’s handling of disinformation campaigns and cyberattacks, commenters note that the Biden team will likely continue some of the previous administration’s cyber and technology policies. Biden’s endorsement of Trump’s moves to replace Obama-era rules and give the military more freedom to conduct offensive cyber-operations on adversaries is notable.

Recognizing the scope of the threat and scale of the response required, President Biden is launching an “urgent initiative” to improve the nation’s cyber capabilities, readiness, and resilience in cyberspace, ranging from federal investments to enhancing multi-stakeholder collaboration with allies and the private sector. As part of the $1.9 trillion COVID-19 relief package, also known as the American Rescue Plan Act, he has allocated billions of dollars in funds to federal agencies such as CISA, the General Services Administration (GSA), and the U.S. Digital Service to modernize federal cybersecurity mechanisms and support cyber-initiatives. In light of the slew of attacks on vital institutions, from schools and hospitals to electric utilities and agriculture, the administration is doubling down on cybersecurity, specifically the threats posed by ransomware. Following the Colonial Pipeline hacking, Biden signed an executive order aimed at bolstering U.S. cyber defenses. One of the most significant components to the executive order is the requirement that all new software purchased by the government meet a certain standard of cybersecurity. Due to the government’s immense buying power, these new standards could result in enhancements across the entire technology sector. The U.S. Department of Homeland Security’s Transportation Security Administration has also signaled intentions to issue a security directive that will require pipeline companies to report cyber-incidents to federal authorities and additional mandatory standards for how companies safeguard their systems against cyberattacks. Previously, the agency has only offered voluntary guidelines. The U.S. Department of State’s Rewards for Justice (RFJ), which is administered by the Diplomatic Security Service, is now offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure. In August 2021, Easterly also announced the creation of the Joint Cyber Defense Collaborative (JCDC), a joint initiative with the private sector, including Amazon, Google, and Microsoft, which will work to prevent and reduce the impacts of cyber intrusions, as well as promote national resilience by coordinating actions to detect, deter, and respond to cyber activity targeting critical infrastructure.

The threat to critical infrastructure was laid bare back in February after an attempt to affect chemical levels in a Florida water-treatment facility and again when JBS, the world’s largest meat company by sales, suffered a ransomware attack that caused plants to shut down in North America and Australia, and the company to pay $11 million to the hackers. Chris Krebs has warned that society was “on the cusp of a global digital pandemic,” and FBI Director Christopher Wray asserted that the rise of cybercrime has impacted the American security apparatus similar to the 9/11 attacks. In response to the proliferation of ransomware attacks targeting critical sectors, the administration created the Ransomware Task Force. Secretary of Transportation Peter Buttigieg has advocated for upgrades before Congress and stated that cybersecurity is “central to ensuring our country’s economic security.” Currently, the proposed infrastructure bill includes $1 billion for state, local, and tribal governments to improve their cybersecurity infrastructure and $50 billion for protecting the electrical grid against such attacks.

Another core pillar of the administration’s agenda as part of its climate change efforts is to build sustainable infrastructure, which includes universal, reliable, and affordable high-speed internet access and secure 5G networks across the country, particularly for lower-income urban and rural communities as part of its efforts to bridge the digital divide. The Biden and Trump administrations’ efforts for domestic 5G infrastructures come on the heels of increasing security concerns that Huawei-made networks could allow the Chinese government to access data and spy on countries and companies. Although the Biden administration has not confirmed whether Huawei will remain on the U.S. Bureau of Industry and Security’s (BIS) entity list following former President Trump’s executive order in 2019, Secretary of Commerce Gina Raimondo stated that she will “use the full toolkit at [her] disposal to the fullest extent possible to protect Americans and [U.S.] networks from Chinese interference or any kind of back-door influence.” Her comments signal that trade and technology tensions will likely continue from the previous administration throughout Biden’s presidency. In June 2021, Biden signed an executive order replacing a Trump-era directive aimed at banning Chinese-owned mobile apps TikTok and WeChat. The former administration’s executive order had been blocked by a federal judge from implementing its rule on the apps, which the court ruled overstepped the administration’s legal authority by being “arbitrary and capricious.” Biden’s order is more expansive, prohibiting American companies from investing in many large Chinese technology firms, including Huawei and Chinese mobile carriers, due to their ties to the Chinese military or the Chinese government’s persecution of the Uyghurs.

Alongside modernizing U.S.-based infrastructure, Biden’s team has also raised concerns regarding Big Tech and its role in the global cybersecurity ecosystem. The Trump administration began probing into major tech companies such as Amazon, Facebook, and Google’s business practices, with the U.S. Department of Justice starting an antitrust investigation of the corporations’ activities in 2019. Likewise, U.S. allies are also investigating Big Tech for violations of antitrust regulations. As of June 2021, the EU had opened an investigation of Google’s advertisement business model, which it claims favors Google’s own advertisement services over its competitors in an anticompetitive manner. As a candidate, Biden similarly stated that he is open to dismantling large tech companies, pointing out Facebook as “a real problem.” Although both Trump and Biden each called for increased scrutiny of tech companies’ behaviors and influence in the information environment, they both have notably stopped short of directly demanding that the companies be broken up.

Questions have also arisen regarding content regulation as disinformation poses an increasing threat to democracies. As a “weapon of mass distraction,” foreign state-sponsored disinformation campaigns primarily by China, Iran, and Russia have targeted the U.S. and its allies in an effort to sow political and social division, disrupt elections, and erode trust in accurate information sources. The lack of incentives for U.S. tech platforms to self-contain disinformation has led President Biden to call for Section 230 of the Communications Decency Act, which limits liability for tech companies to moderate content, to be revoked. Simultaneously, concerns regarding global data governance have also grown, with the European Union’s General Data Protection Regulation (GDPR) and China’s cybersecurity laws serving as two of the most comprehensive approaches to data privacy regulation. Absent U.S. decision-making on how to address Big Tech, regional regulations may govern U.S.-based companies, in terms of both content and data governance. To tackle these multifaceted issues, the Biden administration is appointing Big Tech critics to influential positions across the federal government, such as Lina Khan to head the Federal Trade Commission and Tim Wu as special assistant to the president for technology and competition policy. Most recently, the FTC refiled a lawsuit against Facebook, regarding the company’s anti-competitive practices. Facebook has filed a petition for Khan to recuse herself from the case, stating that her work on the House investigation into platform monopolies shows a bias against the company. While there is no anticipation that Khan will recuse herself, the lawsuit is indicative of the harder stance the administration is adopting with respect to Big Tech and its efforts to rein in its influence in the digital ecosystem.

Looking to the future and acknowledging the need for a highly trained workforce in order to strengthen U.S. defenses against growing sophisticated cyberattacks and operations, President Biden is investing in a diverse talent base through investments and increasing opportunities for women and minorities within the federal cyber and technology ecosystem. In 2015, then-Vice President Biden supported the establishment of the Department of Energy’s Cybersecurity Workforce Pipeline Consortium and led a $25 million investment for cybersecurity education at historically black colleges and universities (HBCUs). To continue fostering the talent needed to address modern cyber threats, the administration plans to broadly invest $70 billion in colleges and universities that play critical roles in their communities, such as HBCUs, tribal colleges and universities (TCUs), Hispanic-serving institutions (HSIs), and Asian American and Native American Pacific Islander-serving institutions (AANAPISIs). However, it is currently unclear how much of this funding will be directly geared toward cyber education and training. As a candidate, Biden also pledged to provide educational opportunities for women to pursue science, technology, engineering, and mathematics (STEM) careers by investing in school vocational training and partnerships among high schools, community colleges, and employers.

The cyber arena remains largely bipartisan as Democrats and Republicans recognize the urgency to address cyber vulnerabilities and rein in Big Tech as well as the need to protect critical infrastructure, enhance U.S. cyber defenses, and build a strong cyber-workforce. Across the cyber and technological landscape, President Biden is urging collaboration across all government levels—local, municipal, state, and federal—and cooperation with partners and allies, particularly in Asia and Europe, to tackle cyberthreats. At the Munich Security Conference in February 2021, President Biden called on European partners to address cybersecurity, expressing his desire for multilateral cooperation on the issue and promising to recommit U.S. international engagement to create and uphold global norms in cyberspace and emerging technologies. Similarly, in March 2021, Australia, India, Japan, and the U.S., collectively known as the Quadrilateral Security Dialogue, asserted their cooperation on establishing international standards and initiatives with respect to emerging and critical technology (particularly 5G and AI) and enhancing cybersecurity as a means to combat China’s growing economic and technological influence in the region. In April 2021, National Security Advisor Jake Sullivan signaled the administration’s support for new EU restrictions on how companies can use AI and pointed to Australia as a key ally with which to tackle cybersecurity, suggesting that the administration is eager to cooperate with allies and leverage existing alliances such as the Five Eyes (Australia, Canada, New Zealand, the U.K., and the U.S.) to address global threats to cyber and technology security. To that end, the Biden administration and the EU plan to form a new EU-U.S. Trade and Technology Council (TTC) to combat China’s growing dominance in the technology and trade sectors. The alliance plans to address issues ranging from tech supply chains to investments in digital projects. In its interim national security guidance, the Biden team identifies cyberattacks and digital authoritarianism as key threats to democracies worldwide, and cyber and technology challenges were a central issue at the 2021 Copenhagen Democracy Summit. The ability of technology to bolster democratic institutions was also a key component of the summit, however, the event was notably funded in part by Facebook, Microsoft, and Twitter. Still, the administration will face myriad obstacles addressing the evolving threat while balancing the rest of its foreign policy priorities, particularly COVID-19 and climate change.

Challenges for the Biden Administration

Attribution problem makes holding countries accountable to global norms difficult. One core pillar of Biden’s strategy to enhance U.S. deterrence and cyber defense is establishment of a set of global norms and holding those who violate standards of behavior accountable. While calls for a “Digital Geneva Convention” have been long standing from key private-sector actors, particularly Microsoft, it is difficult to control hacking when the likelihood of plausible deniability is high. The majority of offensive U.S. cyber-operations are conducted out of a central agency—the U.S. Cyber Command—but for countries such as China and Russia, attribution is far more difficult to delineate. China commonly uses third-party organizations to hack into specific targets. Although Russian president Vladimir Putin asserts that Russia has never hacked other nations’ elections, he has described hackers as “artists” and “patriots” who are not under the Russian government’s control. Following the Colonial Pipeline hacking, President Biden pointed to Russia for creating a safe haven for hackers, though he did not go so far as to ascribe the hack directly to the Russian government. At the June 2021 summit between Presidents Biden and Putin, Biden shared a list of the U.S.’s designated critical infrastructure sectors that he labeled as “off-limits to attack” by cyber or other means. It is unclear the extent to which both leaders discussed how cyber criminals should be held accountable or how both countries will cooperate over cybersecurity attacks originating within their borders but not directly involving their governments. In a July 2021 call between Biden and Putin, Biden criticized the Russian government’s harboring of criminal hackers and its failure to prosecute them and prevent their destabilizing activities. Historically, the U.S. has benefitted from ambiguous international cyber standards, reportedly hacking the Russian electrical grid and Iran’s nuclear power plants, essentially using cyber tools as weapons short of war. Critics note that the U.S.’s use of the cyber arena to pursue its own geopolitical agenda leaves it at a disadvantage when it comes to establishing and enforcing international norms of behavior, particularly against adversaries, as the U.S.’s actions have also adversely affected other countries’ economies and security.

Lack of multi-stakeholder coordination impedes the development of U.S. cyber defenses. For years, private companies have formed cybersecurity alliances and established industry-specific rules regarding tech and cyber security, such as the Cybersecurity Tech Accord and the Charter of Trust. As the Biden administration looks to lead the international community by example, the federal government has struggled to adopt a comprehensive approach to cyber and technology security. Since 2010, the U.S. Government Accountability Office (GAO) has made 3,300 recommendations to federal agencies to address high-risk cybersecurity shortcomings, and in a report published in March 2021, it found that as of December 2020, more than 750 of those recommendations had not yet been implemented. In another instance, the U.S. Department of State failed to involve or communicate with agency partners about the reorganization of the Bureau of Cyberspace Security and Emerging Technologies (CSET), its cyber diplomacy bureau. The position of cyber coordinator at the Office of the Coordinator for Cyber Issues at the U.S. Department of State also notably remains vacant since Chris Painter left the post in 2017. Whether the administration fills this coordinator post could serve as an indicator of how seriously the Biden team will take cyber diplomacy and the coordination of international cyber norms. At the same time, the Cyber Diplomacy Act requires the U.S. Department of State to create an ambassador role for cyber diplomacy as well as the creation of a new Bureau of International Cyberspace Policy, raising questions as to how the administration, specifically Secretary of State Antony Blinken, will establish and reconcile these positions and efforts throughout the department. As cyber threats have risen in frequency and complexity, disparate, piecemeal attempts across various agencies have resulted in an uncoordinated cybersecurity approach and ill-prepared defenses. Although the ONCD will fulfill the role as a government-wide coordinator, the efficacy of this position is still to be determined. In the meantime, the Cyber Solarium Commission (CSC) has called for the creation of a federally funded center to develop cybersecurity insurance certificates and public-private partnerships on cyber risk models.

Legal barriers limit domestic visibility in critical technology. While cyber regulation is still developing in the U.S., current laws (see executive order 12333) that justifiably protect civil liberties and privacy also limit the federal government’s ability to respond to domestic cyberattacks that affect critical infrastructure located within the U.S. or data belonging to American citizens. In the case of the SolarWinds hack, the attackers exploited the legal barriers among the IC, law enforcement, and U.S. citizens, hindering the government’s ability to respond and thereby making the precision of the coordinated attack more dangerous. Neuberger notes that building relationships with the private sector will be critical to ensure that civil liberties are protected while the government continues its investigation and rebuilds its defenses, given that the private sector owns approximately 87 percent of federal infrastructure. Indeed, the private sector will play a crucial role in bolstering U.S. cyber defenses, particularly as non-state actors, such as cyber-criminals, are increasingly exploiting the interconnected environment; mounting sophisticated cyber-operations; targeting financial institutions and smaller targets; and being used by other countries as a means to evade sanctions, launch attacks with a degree of plausible deniability, and learn foreign technical expertise. In April 2021, Secretary of Energy Jennifer Granholm, Easterly, and the electricity industry launched a 100-day cybersecurity pilot program to evaluate the U.S.’s electric grid and the energy sector’s supply chain, and to strategize policies to protect this critical infrastructure sector.