After the Apocalypse: Cybersecurity

After the Apocalypse is a series of policy recommendations for the incoming Biden administration.

Cyberspace has emerged as the latest domain of conflict and security. The Biden administration is taking office at an incredibly difficult time with surging coronavirus cases, rampant disinformation, financial uncertainty, and sophisticated cyberattacks targeting the government and private sector alike.

As part of the “After the Apocalypse” series — a set of policy recommendations to help guide us out of a time that has frequently felt like the end of the world — Inkstick asked Camille Stewart, Sasha O’Connell, and Lauren Zabierek to weigh in on how the incoming administration can address cyber security issues. The one thing they all three agreed on was the immediate need for a National Cyber Director. They also agreed on the need for a more coordinated and operational cyber security strategy.

Their other recommendations are as follows:

Camille Stewart, Head of Security Policy and Election Integrity for Google Play and Android 

  1. Leadership: I am glad the National Cyber Director was codified as part of the 2021 National Defense Authorization Act (NDAA). As cyber and technology issues increasingly intersect with and influence other disciplines, a leader responsible for enhanced coordination, deconflicting, and implementing an action-oriented cyber strategy will be crucial. The Biden administration will need to build this office quickly and work with the interagency to ensure the Cyber Director is empowered to lead the strategic vision on cyber and tech, balance the equities and authorities of the interagency while engaging industry and other White House directorates, interagency stakeholders, and administration priorities to advance U.S. interests. This will be no easy task but an extremely important one.
  2. Strategy: With a National Cyber Director at the helm, the Biden administration must update the National Cyber Strategy to a ‘whole of society’ cyber strategy that includes a comprehensive implementation plan. According to a Government Accountability Office report on cybersecurity, the current cyber strategy fails to identify resources needed to carry out 160 essential activities. The administration’s strategy must fill the gaps in interagency coordination, lean in on cyber deterrence and defense, and advance the recommendations outlined in the Cyberspace Solarium Commission report by updating the strategy and articulating an action-oriented roadmap and plan. The strategy must advance digital (technology and software) supply chain security standards and regulation, a national security priority that is underscored by the recently detected Solarwinds software supply chain compromise and the related post intrusion activity affecting multiple entities worldwide.
  3. Prioritizing Diversity: The administration must prioritize diversity in both the workforce and policy. Cybersecurity is a relatively new field and could serve as an example of how federal processes can begin including diverse hires, and how racist and sexist federal processes are actually a threat to the United States.

 

Sasha O’Connell, Director of Terrorism and Homeland Security MS Program, American University’s School of Public Affairs

  1. Leadership: The 2021 NDAA includes a provision for the creation of a Special Assistant to the President for Cyber, or National Cyber Director. While this is welcome news, the “who” for this job is equally important. The Biden administration must act quickly to recruit an individual for this role who is not only a senior leader with national security but also has a technical/engineering background, has experience engaging with stakeholders in both the private and public sectors, and can manage interagency dynamics.
  2. Tackle Disinformation: The Biden administration must prioritize tackling disinformation. The newly appointed Cyber National Director and his/her staff must take a lead in formal rule-making and assist with legislation designed to mitigate the threat of disinformation. The ultimate goal is to build resiliency while longer term solutions are being developed.
  3. Clarify Jurisdiction: The administration would ideally pick up the baton on the question of how to address the growing categories of digital evidence that are out of bounds for court authorized law enforcement and intelligence collection due to technology implementations. As the implications and scope of this issue grow every day, it is imperative that thoughtful options continue to be designed in advance of the day when political will is strong enough to push Congress to take action.

 

Lauren Zabierek, Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center

  1. Leadership: In creating the conditions for effective strategy development and implementation, President-elect Biden should look to fill critical cyber leadership roles immediately, to include the new National Cyber Director (NCD) and vacant CISA Director roles. The inaugural NCD will step into the position at an urgent time, as we continue to investigate and respond to the SolarWinds operation, and must build a coalition of leaders across the federal, state, and local governments as well as private sector to develop and execute a whole-of-nation strategy. Although the NDAA left out the provision to create a Senate-confirmed Cyber Coordinator in a re-established Bureau of Cyber Affairs at the State Department, now with a Democratic House and Senate majority, Congress could look to enacting this legislation down the road. The President-elect should fill this role immediately to signal our nation’s commitment to leading in the international arena as well.
  2. Strategy: The United States needs a comprehensive, whole-of-nation US Cyber Strategy that brings to bear our capabilities and leadership and also addresses our vulnerabilities like software procurement, supply chain management, and 5G telecommunications security. It should address our domestic defensive posture as well as our national interests. We have disparate elements of cyber policy and capabilities— but we must combine all elements of our cyber power, and coordinate the domestic, military, intelligence, diplomatic, legal, and financial efforts in the cyber domain to further our interests and protect our nation.
  3. Bolster Domestic Defense: A US Cyber Strategy must also address our domestic cyber posture and make significant investments to improve it, given its vulnerability to cyberattacks by nation state actors and criminals alike. Our networks are largely privately owned and operated and every organization is responsible for the protection of its own systems. There is little capacity for companies, organizations, and agencies to operate a collective defense, systematically sharing threat data, coordinating defensive actions, and continually learning from each other. In a perfect world, the Biden administration could facilitate a more coordinated domestic defensive cyber posture between the public and private sectors, through executive orders, institutional support, and touchpoints with the federal government.