Obama-era cybersecurity staff will likely fill Biden posts. What cyber policy aspects need more attention this time?

Marcus Fowler

Director of Strategic Threat at Darktrace

In its first 100 days, the Biden administration must correct course and reclaim our global posture by doubling down on cyber defense. Throw out the old presumption that the rules of conventional warfare apply to the world of cyber because, the fact is, the global cyber superpowers are separated by having the best defense, not just good offense.

Historically, cyber-attackers have been emboldened by muted and inconsistent responses from the U.S. because of the simple truism that cyber attribution is difficult. But the U.S. should be operating from a point of assessed attribution based on intelligence estimates, aiming to hold attacking nation-states responsible through all levers of power.

However, the more urgent focus should be prioritizing and resourcing the elements of policy, personnel and technology to establish defensive superiority, as deterrence and defending forward are simply not enough anymore. If we learn anything from SolarWinds, it should be that we need to completely reevaluate our approach to intelligently detect and defend against increasingly novel campaigns masterminded by nation-states. Our current prevention strategies and rigid signature-based defense — which only stop known threats — are minor inconveniences at best against such novel sophisticated attacks.

To achieve this defensive superiority, it's essential that we adopt technology that understands the internal digital environment and watches over critical data, rather than focusing only on the attacker and trying to predict their next move. The Biden administration must refine policies associated with onboarding these advanced technologies, such as AI, which can detect, investigate and respond to malicious activity within the network.

This approach shifts attention to the critical issue at hand: understanding and constantly enforcing "normal" digital behavior. With an understanding of evolving "normal" activity, we will be better equipped to disrupt and stop attacks at the earliest signs of compromise.

Riana Pfefferkorn

Research Scholar at Stanford Internet Observatory

China. I am not certain that the Obama administration came out the right way in terms of where to strike the balance between shaking hands and shaking a big stick. The Obama-Xi 2015 cyber espionage agreement did not last long term, and China has continued to be a threat to our economy, national security and even public health. While the previous administration did take China seriously (unlike Russia), its incoherent approach to China sometimes smacked of isolationism, bellicosity and xenophobia rather than a clear-eyed assessment of risk.

The Biden administration cannot afford to take too soft a stance towards China, as Obama was accused of doing, and the more assertive military posture in cyberspace that Biden inherits may be worth preserving. However, economic considerations and diplomacy will still be indispensable parts of any China strategy. Biden needs to carefully balance U.S. cyber defense and economic interests, while at the same time rebuilding a State Department that was greatly weakened by his predecessor. It is a fine line to walk and I don't envy him the task.

Sanjay Beri

CEO at Netskope

Elevating cyber policy needs to be the nation's focus not just in reaction, but in training and education. National cybersecurity must focus on the fact that data is the new oil, so understanding where that data is, and how to protect it, is imperative. Less than 0.1% of the U.S. GDP is spent on cybersecurity when in reality the new wars are happening in the cyber world.

Over the last year especially, we have seen digital transformation accelerated by the pandemic. As a result, training the next generation of security experts needs to happen early, or the U.S. will continue to be outmanned by its adversaries.

It is not the job of the government to invent, it is to defend. Innovation happens in the private sector, so policies should encourage the people who are going to develop next-generation security tools, as well as the people who will operate them.

Corey Thomas

CEO at Rapid7

A top priority, as the Biden administration knows, is to get the government's own house in order and recover from the SolarWinds attack by using ongoing IT modernization programs and forthcoming COVID relief, infrastructure and stimulus packages to strengthen the security of federal systems.

One of the things that is arguably different in comparison to the Obama era is that more policymakers and large enterprises recognize cybersecurity to be a critical component of business and government operations. However, I see less awareness and security maturity among smaller private sector entities. Unfortunately, this increasingly makes them targets of malicious cyberattacks, and it is often more difficult for smaller and medium-sized organizations to recover when they are already under-resourced. For these reasons, cybersecurity-focused funding, incentive and education programs for this segment of the market will help strengthen baseline security practices.

Supply chain risk has become a dominant topic in security, particularly the security of shared services. Third parties that provide services to many organizations systemwide, such as cloud platforms and managed services providers, have outsized risk if they are not secure. The federal government is coordinating multiple work streams focused on supply chain security, and this work should continue as the complexity of interconnected systems will only increase.

As the Biden administration considers whether to carry on with domestic privacy legislation work initiated by the Obama team, they should prioritize federal requirements for consumers' personal information security. Roughly half of all states now have enacted laws requiring security for personal information. This patchwork is not good for businesses or consumers, yet there is greater consensus on federal security requirements for personal information than for other aspects of privacy. While privacy is important, personal information security would independently advance the goals of protecting consumers and driving adoption of consistent basic cybersecurity practices in the private sector.

Sherry Ryan

CISO at Juniper Networks

In the wake of the SolarWinds incident, I expect a stronger emphasis to be given to supply chain security and for more assistance to be given to U.S. firms to help them strengthen their cyber defenses. This assistance will include more guidance documents, such as those provided currently by CISA and NIST, to aid organizations in hardening their infrastructures. I also anticipate a renewed focus on forging effective public-private partnerships to further our nation's cybersecurity posture and a greater commitment to attribution and accountability for hostile actions taken against U.S. organizations. My expectation is that investments in cybersecurity capabilities will be increased with a focus upon leading edge technology solutions.