As the incoming Biden administration takes shape, security experts expect to see cabinet members with existing cyber experience, even if it's not their first love.
President-elect Joe Biden's nominations for security-related cabinet members thus far includes:
- Antony Blinken as the secretary of state
- Alejandro Mayorkas as the secretary of homeland security
- Avril Haines as the director of national intelligence
- Jake Sullivan as the national security advisor
"The reason I think this is a sea change is almost every one of these people does have experience dealing [with] these issues," said Chris Painter, president of Global Forum on Cyber Expertise Foundation, during a virtual panel hosted by the Institute for Security and Technology Wednesday. Painter has held several roles in the Justice and State Departments and the White House in a cybersecurity capacity.
Experts say the incoming administration will be more in tune with cybersecurity than previous administrations. Sanctions on foreign governments are limited and cyberwarfare is an even playing field. But the government has to first overcome domestic hurdles in unified cyber strategies.
Over the course of his career in the federal government, Painter has seen "people come in at that very high level, [but] they have very little idea of what cyber is," he said. Though there have been exceptions over the last thirty years, such as Former U.S. Attorney General Janet Reno's early concerns about handling cybercrime, cyber hasn't traditionally been featured on cabinet members' resumes.
National security is taking a more proactive stance toward cybersecurity including multilateral strategy throughout the federal and local government. "I think you'll finally see cyber and cybersecurity become a true national security, economic security and diplomatic priority," said Painter.
"We may see a return to cyber being treated as a real bipartisan issue; that would be a great change," Painter said.
While other national security roles are vacant awaiting appointment by the president-elect, experts say one key addition is having a cyber chief inside the White House. A position recommended by the Cyberspace Solarium Commission, it's seen as critically important, which other administrations lacked. The final National Defense Authorization Act (NDAA) has a provision establishing a national cyber director, Politico reported Thursday.
Rocky road
The private sector is playing a more active role in national security, in part due to substantial efforts by Cybersecurity and Infrastructure Security Agency (CISA) and the Solarium Commission. "I think that you'll see that the Biden administration will be interested in bringing in people who have experience in industry," including former Facebook CSO Alex Stamos, said Mieke Eoyang, SVP of the National Security Program at Third Way, during the panel.
Security professionals are hungry for more cross-sector collaboration. "It goes beyond network defense. If you want to touch law enforcement or the intelligence community in some way, you just want to do it one time," said Kemba Walden, attorney, the Digital Security Unit at Microsoft, and former counsel in DHS.
Information sharing is the "only way" to "drive up the cost of cyberattacks on critical infrastructure," said Walden.
With a robust cybersecurity posture and personnel familiar with its importance, Eoyang welcomes "a respite from bold moves."
Over the course of the Trump presidency, the tech industry experienced major antitrust movements, calls for changing encryption practices, threatening application bans, a robust election security plan, federal cyber leadership shakeups, and most recently a standoff between the White House, social media giants and Section 230.
While security is caught in the middle of larger technological disputes, the private sector hasn't always been incentivized to cooperate with the federal space. Despite the technological savvy of the National Security Agency (NSA), it's "distrusted by the technology community and I understand why," said Eoyang. Some companies are "uncomfortable" working with the FBI due its encryption demands.
CISA was founded to remedy those hangups, and ease any doubts. Since its inception and under former Director Chris Krebs's leadership, the agency became a more trusted body of the government for the private sector to engage with. Still, there are disparate pieces of the federal government working on cybersecurity, fragmenting any form of unified coordination.
The federal government has historically approached cyber as a military response, like what was seen in the Trickbot disruption in tandem with Microsoft. But instead of limiting defense strategies to operational chaos, what if the U.S. engaged in arresting actors behind Trickbot, said Eoyang. Law enforcement and the appropriate retaliation is still being figured out in cyberspace.
Law enforcement's role in private sector cooperation has been tense, seen most recently in the Treasury Department's Office of Foreign Assets Control (OFAC) ransom sanctions advisory. Ransomware "will focus people's attention on dealing with that and trying to get to perpetrators in a very different way than what we've seen in the past," said Eoyang. Because of ransomware's prevalence, the incoming AG is "going to just have to deal with" how organizations handle response and recovery.
Cybercrime and ransomware will shape the Biden administration's cyber tenacity and appetite for legal action. Cyber leadership will need to balance law enforcement and national security with the economic side of the U.S. government. "The Biden administration will need to step back, get its house in order [and] coordinate some of those things," said Eoyang.