To access the Biden Power Map, sign up for FP Insider, a data-driven subscription service from Foreign Policy that gives professionals critical insights into the global issues impacting their business.

FP Insiders get full access to this and all Power Maps and Special Reports created by FP Analytics, Foreign Policy’s research division.

We work closely with organizations from all sectors to activate FP Insider access at scale—and at maximum savings. Learn more and request an FP Insider demo.

Cyber & Tech: Policy Briefing

Cyber & Tech

The Biden Plan for Cyber and Technology Security

UPDATED June 18, 2021

As cyber threats mount, including disinformation campaigns, election interference, and hacks on critical services and technology, the Biden administration has promised to make cybersecurity a top priority. Through a series of executive orders, the former Trump administration made notable moves to develop standards for cybersecurity risk management across various industries, expand domestic 5G infrastructure, limit risks from foreign technology providers—notably China’s Huawei—and expand the cyber-workforce. But the former administration also appeared to undercut some of its own gains amid the progress. It eliminated the cybersecurity coordinator role on the National Security Council (NSC), downgraded of the Office of the Coordinator for Cyber Issues at the Department of State and fired the former director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, as the former president doubled down on false claims of election interference. By the end of his term, in a survey conducted by Cybersecurity 2020, 71 percent of cybersecurity professionals felt that the former administration had taken the U.S. in the wrong direction on cybersecurity.

Following the SolarWinds and Microsoft email server hacks, considered the largest and most sophisticated cyberattacks ever perpetrated, the U.S.’s cyber strategy has come under increasing scrutiny. The attacks highlighted weaknesses in the U.S. Cyber Command’s “defend forward” approach, particularly as the intelligence community (IC) failed to detect the massive hack until a private company, FireEye, notified affected parties. Secretary of State Antony Blinken has pinpointed China, Russia, Iran, and North Korea as ongoing critical cyber threats to the U.S. U.S. Ambassador to Russia John Sullivan said that while the focus has primarily been on election interference, the U.S. faces a larger threat from aggressive cyberactivity by elements of the Russian government. In a recent report published by the Office of the Director of National Intelligence (ODNI), the IC raised concerns regarding Russian supply chain operations against U.S.-based IT firms and growing investments in research and development by China and Russia in emerging technologies such as computing, biotechnology, and artificial intelligence (AI), which the IC warns “can be economically, militarily, and socially destabilizing.”

With cyber and technology security increasingly characterizing Great Power competition among China, Russia, and the U.S., President Biden has created new cyber-focused roles across the federal government. Former National Security Agency (NSA) Director of Cybersecurity Anne Neuberger is serving in a new position in the White House as Deputy National Security Advisor for Cyber and Emerging Technologies. Neuberger will join the National Security Council (NSC) in an advisory capacity and will play a leading role in the government’s investigation and response to the SolarWinds hack. Such responses include sanctions that the administration has imposed on Russia for its alleged cyberespionage activities with respect to SolarWinds and efforts to disrupt the U.S. election, as well as several executive orders that President Biden is preparing in order to address the country’s cybersecurity shortcomings. Through the 2021 National Defense Authorization Act (NDAA), Congress also created the Office of the National Cyber Director (ONCD) within the Executive Office of the President. Chris Inglis, a principal at WestExec Advisors who served as the former NSA deputy director, will be nominated to the post.

The national cyber director (NCD) will hold a seat on the NSC and will be the president’s senior advisor on cybersecurity except for offensive and intelligence cyber-operations and programs. Working closely with Neuberger, National Security Advisor Jake Sullivan, and, if confirmed, Biden’s CISA director nominee Jen Easterly, the NCD will serve a critical leadership role in coordinating an integrated response by federal departments, agencies, and the private sector against cyberattacks and campaigns. Neuberger would play a key role in developing options to respond to an attack by a foreign adversary, potentially including offensive cyber-operations. Although President Biden criticized the Trump administration’s handling of disinformation campaigns and cyberattacks, commenters note that the Biden team will likely continue some of the previous administration’s cyber and technology policies. Biden’s endorsement of Trump’s moves to replace Obama-era rules and give the military more freedom to conduct offensive cyber-operations on adversaries is notable.

Recognizing the scope of the threat and scale of the response required, President Biden is launching an “urgent initiative” to improve the nation’s cyber capabilities, readiness, and resilience in cyberspace, ranging from federal investments to enhancing multi-stakeholder collaboration with allies and the private sector. As part of the $1.9 trillion COVID-19 relief package, also known as the American Rescue Plan Act, he has allocated billions of dollars in funds to federal agencies such as CISA, the General Services Administration (GSA), and the U.S. Digital Service to modernize federal cybersecurity mechanisms and support cyber-initiatives. In the aftermath of the May 2021 Colonial Pipeline hacking, Biden signed an executive order aimed at bolstering U.S. cyber defenses, particularly against ransomware attacks. One of the most significant components to the executive order is the requirement that all new software purchased by the government meet a certain standard of cybersecurity. Due to the government’s immense buying power, these new standards will result in enhancements across the entire technology sector. The Department of Homeland Security’s Transportation Security Administration has also signaled intentions to issue a security directive that will require pipeline companies to report cyber-incidents to federal authorities and additional mandatory standards for how companies safeguard their systems against cyberattacks. Previously, the agency has only offered voluntary guidelines.  Additionally, the administration has allocated $20 billion from the American Jobs Plan, a large-scale infrastructure package, for cybersecurity upgrades in local, state, and tribal governments. Secretary of Transportation Peter Buttigieg advocated for the upgrades before Congress and stated that cybersecurity is “central to ensuring our country’s economic security.”

Another core pillar of the administration’s agenda as part of its climate change efforts is to build sustainable infrastructure, which includes universal, reliable, and affordable high-speed internet access and secure 5G networks across the country, particularly for lower-income urban and rural communities as part of its efforts to bridge the digital divide. The Biden and Trump administrations’ efforts for domestic 5G infrastructures come on the heels of increasing security concerns that Huawei-made networks could allow the Chinese government to access data and spy on countries and companies. Although the Biden administration has not confirmed whether Huawei will remain on the U.S. Bureau of Industry and Security’s (BIS) entity list following former President Trump’s executive order in 2019, Secretary of Commerce Gina Raimondo stated that she will “use the full toolkit at [her] disposal to the fullest extent possible to protect Americans and [U.S.] networks from Chinese interference or any kind of back-door influence.” Her comments signal that trade and technology tensions will likely continue from the previous administration throughout Biden’s presidency.

Alongside modernizing U.S.-based infrastructure, Biden’s team has also raised concerns regarding Big Tech and its role in the global cybersecurity ecosystem. The Trump administration began probing into major tech companies such as Amazon, Facebook, and Google’s business practices, with the Department of Justice starting an antitrust investigation of the corporations’ activities in 2019. As a candidate, Biden similarly stated that he is open to dismantling large tech companies, pointing out Facebook as “a real problem.” Although both Trump and Biden each called for increased scrutiny of tech companies’ behaviors and influence in the information environment, they both have notably stopped short of directly demanding that the companies be broken up.

Questions have also arisen regarding content regulation as disinformation poses an increasing threat to democracies. As a “weapon of mass distraction,” foreign state-sponsored disinformation campaigns primarily by China, Iran, and Russia have targeted the U.S. and its allies in an effort to sow political and social division, disrupt elections, and erode trust in accurate information sources. The lack of incentives for U.S. tech platforms to self-contain disinformation has led President Biden to call for Section 230 of the Communications Decency Act, which limits liability for tech companies to moderate content, to be revoked. Simultaneously, concerns regarding global data governance have also grown, with the European Union’s General Data Protection Regulation (GDPR) and China’s cybersecurity laws serving as two of the most comprehensive approaches to data privacy regulation. Absent U.S. decision-making on how to address Big Tech, regional regulations may govern U.S.-based companies, in terms of both content and data governance. To tackle these multifaceted issues, the Biden administration is appointing Big Tech critics to influential positions across the federal government, such as Lina Khan to head the Federal Trade Commission and Tim Wu as special assistant to the president for technology and competition policy.

Looking to the future and acknowledging the need for a highly trained workforce in order to strengthen U.S. defenses against growing sophisticated cyberattacks and operations, President Biden is investing in a diverse talent base through investments and increasing opportunities for women and minorities within the federal cyber and technology ecosystem. In 2015, then-Vice President Biden supported the establishment of the Department of Energy’s Cybersecurity Workforce Pipeline Consortium and led a $25 million investment for cybersecurity education at historically black colleges and universities (HBCUs). To continue fostering the talent needed to address modern cyber threats, the administration plans to broadly invest $70 billion in colleges and universities that play critical roles in their communities, such as HBCUs, tribal colleges and universities (TCUs), Hispanic-serving institutions (HSIs), and Asian American and Native American Pacific Islander-serving institutions (AANAPISIs). However, it is currently unclear how much of this funding will be directly geared toward cyber education and training. As a candidate, Biden also pledged to provide educational opportunities for women to pursue science, technology, engineering, and mathematics (STEM) careers by investing in school vocational training and partnerships among high schools, community colleges, and employers.

The cyber arena remains largely bipartisan as Democrats and Republicans recognize the urgency to address cyber vulnerabilities and rein in Big Tech as well as the need to protect critical infrastructure, enhance U.S. cyber defenses, and build a strong cyber-workforce. Across the cyber and technological landscape, President Biden is urging collaboration across all government levels—local, municipal, state, and federal—and cooperation with partners and allies, particularly in Asia and Europe, to tackle cyber-threats. At the Munich Security Conference in February 2021, President Biden called on European partners to address cybersecurity, expressing his desire for multilateral cooperation on the issue and promising to recommit U.S. international engagement to create and uphold global norms in cyberspace and emerging technologies. Similarly, in March 2021, Australia, India, Japan, and the U.S., collectively known as the Quadrilateral Security Dialogue, asserted their cooperation on establishing international standards and initiatives with respect to emerging and critical technology (particularly 5G and AI) and enhancing cybersecurity as a means to combat China’s growing economic and technological influence in the region. In April 2021, National Security Advisor Jake Sullivan signaled the administration’s support for new EU restrictions on how companies can use AI and pointed to Australia as a key ally with which to tackle cybersecurity, suggesting that the administration is eager to cooperate with allies and leverage existing alliances such as the Five Eyes (Australia, Canada, New Zealand, the UK, and the U.S.) to address global threats to cyber and technology security. In its interim national security guidance, the Biden team identifies cyberattacks and digital authoritarianism as key threats to democracies worldwide, and cyber and technology challenges were a central issue at the 2021 Copenhagen Democracy Summit. The ability of technology to bolster democratic institutions was also a key component of the summit, however, the event was notably funded in part by Facebook, Microsoft, and Twitter. Still, the administration will face myriad obstacles addressing the evolving threat while balancing the rest of its foreign policy priorities, particularly COVID-19 and climate change.

President Biden’s Initiatives in Cyber and Technology
Economic Investments
Enhancing Accountability and Multi-stakeholder Collaboration
Notable Cyber Legislation in Congress
  • Cyber Diplomacy Act—The U.S. House of Representatives Committee on Foreign Affairs passed a bill in April 2021 requiring the Department of State to develop a strategy for promoting norms in cyberspace, create a cyber-diplomacy ambassador role, and establish a Bureau of International Cyberspace Policy. The goal of the act is to cultivate stronger partnerships between the U.S. and its allies to combat cyberattacks and address cybersecurity with “a unified approach.”
  • Endless Frontiers Act—A bipartisan, bicameral piece of legislation that seeks to invest in U.S. domestic technology and cyber security education, manufacturing, and the establishment of a new Supply Chain Resiliency and Crisis Response Program with the mission of strengthening critical technology supply chains in the U.S. and with allies and partners.
  • Strategic Competition Act—In April 2021, the Strategic Competition Act was approved by the Senate Foreign Relations Committee. The act focuses on U.S.-China relations with a goal of strengthening American competitiveness via investments in science and technology, global infrastructure development, digital connectivity, and cybersecurity partnerships to counter Chinese influence.

Challenges for the Biden Administration

Attribution problem makes holding countries accountable to global norms difficult. One core pillar of Biden’s strategy to enhance U.S. deterrence and cyber defense is establishment of a set of global norms and holding those who violate standards of behavior accountable. While calls for a “Digital Geneva Convention” have been long standing from key private-sector actors, particularly Microsoft, it is difficult to control hacking when the likelihood of plausible deniability is high. The majority of offensive U.S. cyber-operations are conducted out of a central agency—the U.S. Cyber Command—but for countries such as China and Russia, attribution is far more difficult to delineate. China commonly uses third-party organizations to hack into specific targets. Although President Vladimir Putin asserts that Russia has never hacked other nations’ elections, he has described hackers as “artists” and “patriots” who are not under the Russian government’s control. Following the Colonial Pipeline hacking, President Biden pointed to Russia for creating a safe haven for hackers, though he did not go so far as to ascribe the hack directly to the Russian government. Moreover, the U.S. has benefitted from ambiguous international cyber standards, reportedly hacking the Russian electrical grid and Iran’s nuclear power plants, essentially using cyber tools as weapons short of war. Critics note that the U.S.’s use of the cyber arena to pursue its own geopolitical agenda leaves it at a disadvantage when it comes to establishing and enforcing international norms of behavior, particularly against adversaries, as the U.S.’s actions have also adversely affected other countries’ economies and security.

Lack of multi-stakeholder coordination impedes the development of U.S. cyber defenses. For years, private companies have formed cybersecurity alliances and established industry-specific rules regarding tech and cyber security, such as the Cybersecurity Tech Accord and the Charter of Trust. As the Biden administration looks to lead the international community by example, the federal government has struggled to adopt a comprehensive approach to cyber and technology security. Since 2010, the U.S. Government Accountability Office (GAO) has made 3,300 recommendations to federal agencies to address high-risk cybersecurity shortcomings, and in a report published in March 2021, it found that as of December 2020, more than 750 of those recommendations had not yet been implemented. In another instance, the Department of State failed to involve or communicate with agency partners about the reorganization of the Bureau of Cyberspace Security and Emerging Technologies (CSET), its cyber diplomacy bureau. The position of cyber coordinator at the Office of the Coordinator for Cyber Issues at the Department of State also notably remains vacant since Chris Painter left the post in 2017. Whether the administration fills this coordinator post could serve as an indicator of how seriously the Biden team will take cyber diplomacy and the coordination of international cyber norms. At the same time, the Cyber Diplomacy Act requires the Department of State to create an ambassador role for cyber diplomacy as well as the creation of a new Bureau of International Cyberspace Policy, raising questions as to how the administration, specifically Secretary of State Antony Blinken, will establish and reconcile these positions and efforts throughout the department. As cyber threats have risen in frequency and complexity, disparate, piecemeal attempts across various agencies have resulted in an uncoordinated cybersecurity approach and ill-prepared defenses. Although the ONCD will fulfill the role as a government-wide coordinator, the efficacy of this position is still to be determined. In the meantime, the Cyber Solarium Commission (CSC) has called for the creation of a federally funded center to develop cybersecurity insurance certificates and public-private partnerships on cyber risk models.

Legal barriers limit domestic visibility in critical technology. While cyber regulation is still developing in the U.S., current laws (see executive order 12333) that justifiably protect civil liberties and privacy also limit the federal government’s ability to respond to domestic cyberattacks that affect critical infrastructure located within the U.S. or data belonging to American citizens. In the case of the SolarWinds hack, the attackers exploited the legal barriers among the IC, law enforcement, and U.S. citizens, hindering the government’s ability to respond and thereby making the precision of the coordinated attack more dangerous. Neuberger notes that building relationships with the private sector will be critical to ensure that civil liberties are protected while the government continues its investigation and rebuilds its defenses, given that the private sector owns approximately 87 percent of federal infrastructure. Indeed, the private sector will play a crucial role in bolstering U.S. cyber defenses, particularly as non-state actors, such as cyber-criminals, are increasingly exploiting the interconnected environment; mounting sophisticated cyber-operations; targeting financial institutions and smaller targets; and being used by other countries as a means to evade sanctions, launch attacks with a degree of plausible deniability, and learn foreign technical expertise. In April 2021, Secretary of Energy Jennifer Granholm, Easterly, and the electricity industry launched a 100-day cybersecurity pilot program to evaluate the U.S.’s electric grid and the energy sector’s supply chain, and to strategize policies to protect this critical infrastructure sector.