President-elect Joe Biden's transition team has recently been announcing appointments for the incoming administration. As the country learns who will lead it next, cybersecurity experts are speculating how the appointees will approach protecting the United States from cyberthreats.
"I think you'll finally see cyber and cybersecurity issues become a true national security, economic security, and diplomatic priority," said Chris Painter, president of the Global Forum on Cyber Expertise Foundation and former government cybersecurity official, in a panel today on the Biden cyber agenda hosted by the Institute for Security + Technology. "We've been moving toward that. I think it'll finally get there, and it won't take a 'cyber 9/11,' 'cyber Pearl Harbor' … that people have been predicting for years. I think we're finally at that level of maturity."
Painter expects the return to cybersecurity being treated as a "real bipartisan issue," a thought echoed by others on the panel as a necessary change.
"I think we'll see a multilevel, multilateral, all-hands-on-deck kind of plan we haven't seen before," said Kemba Walden, attorney in Microsoft's Digital Security Unit and former attorney and adviser for cybersecurity at the Department of Homeland Security. A new administration brings opportunities to work with the private sector and law enforcement on key issues.
While many positions remain open, Painter noted most high-level roles have so far been filled by people who have experience with cybersecurity issues. Historically, most appointees who come in at a high level have little to no background in information security. He pointed to Antony Blinken, the appointed secretary of state, Jake Sullivan, the next national security adviser, Biden, and vice president Kamala Harris as examples of incoming officials who have previously handled cybersecurity matters.
"This is really different, having a crew come in who understand these issues at some level," he said. Cybersecurity will not be their first priority, and each appointee will have other responsibilities to handle, but it will be something that most have dealt with in the past – something Painter called "a real seed change."
Of course, key cybersecurity roles have yet to be filled. Mieke Eoyang, senior vice president for the national security program at Third Way, anticipates the Biden administration will be keen to bring in experts from the private sector who have experience in the industry. Many are curious who will lead the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), after the recent firing of former director Chris Krebs.
"CISA has to be part of the solution," said Eoyang, adding the agency has become the "go-to" place in government for cybersecurity issues. She anticipates the credibility CISA has built up over the years will put its officials in a position to facilitate conversations among the FBI, NSA, and other branches of government when it comes to key cybersecurity issues.
Walden anticipates DHS will become "even more of a central agency" than it has in the past, noting that "Krebs did a great job bringing CISA to the forefront."
Rebuilding Partnerships: Public, Private, International
All three panelists stressed the importance of collaboration – with the private sector, with law enforcement, and with other nations – for battling security threats.
A challenge in the public-private partnership is there is no single place where businesses can communicate with the government, said Walden. She explained the need for an office where organizations can communicate once and their message is shared across government in a productive way. As someone with experience in both sectors, she hopes the Biden administration "doubles down" on information sharing.
"I think that's the only way we're going to be able to drive up the cost of cyberattacks on critical infrastructure – if there is a robust, constant partnership between the private sector and the government," Walden said.
Adversaries won't hit key targets in an obvious way, she noted. "They'll go around, they'll go under, they'll go through to get at our critical infrastructure," she said.
Walden said that Microsoft is hoping to broaden government engagement for tackling cyberthreats like ransomware, which panelists agreed is a key area of concern among the public and private sectors. What's unique about ransomware is there isn't a specific infrastructure, Walden explained. The trick with ransomware is to focus on the payment distribution system and bring it down– an area where public and private organizations could collaborate.
Information sharing could also improve partnerships with law enforcement, Eoyang said. In trying to put together metrics for how cybercrime is being address, Third Way noticed the numbers are crude: It has self-reported incident data and number of arrests, but no intel on how those two are linked together or how many arrests are linked to specific incidents. Law enforcement has an opportunity to measure what's happening, she explained.
"That's a data challenge I think we're going to have to wrestle with as we go forward, but we know that the crime scales," she said. "We have to do a better job of information sharing."
She also hopes the incoming administration will recognize the need for, and benefit of, working more closely both with law enforcement and the private sector for fighting cybercriminals.
Painter explained the need for greater collaboration with other nations, noting cybercriminals often route their attacks through other countries.
"We need to have those partnerships, and we need to have that capacity building," he said.
This will drive much-needed accountability and consequences for attackers.
"One of the approaches I'd like to see in the Biden administration is encouraging international cybernorms – maybe even encouraging at some point a cyber doctrine or treaty that will govern the use of cyber measures across countries, across companies," Walden said.