Four Ways for President Biden to Fix Cyber on January 21
The Biden administration should catalogue cybersecurity resources; improve federal coordination and response to domestic cyber incidents; and establish the lines of responsibility for the provision of intelligence support to the private sector.
Published by The Lawfare Institute
in Cooperation With
From a global pandemic that has shown no signs of slowing to regional instability across the world, President-elect Biden will have no shortage of issues to address. Unlike nearly all other challenges, however, Biden and his incoming national security team can make demonstrative progress in cybersecurity within hours of taking office. Too frequently, American policymakers have approached and treated “cyber issues” as a purely technical problem requiring a technical solution. Despite this presumption, many solutions to cyber issues are not technical at all and are solidly grounded in how humans use technology, rather than in the technologies themselves. The measures presented here highlight that tangible results are within reach and that the Biden administration can hit the ground running on day one.
Recognize That Cyber Is as Much a Human Issue as a Technical One
While technical at their core, cyber problems arise as a consequence of how people use technology just as much as they do from the technology itself. Potential solutions to cybersecurity challenges must seriously account for the human element and consider it with the same seriousness as technical solutions.
In many high-profile cases—affecting industries from banking to health care—the root cause is not that an advanced adversary deployed a novel zero-day exploit but, rather, that someone somewhere in the affected organization either forgot a critical, but available security action or assumed that someone else had performed it. For example, in 2019, when a Seattle woman exploited a misconfiguration in CapitalOne’s web application to gain unauthorized access to millions of the bank’s customer records, it was because the bank assumed its security posture was constructed correctly; it was not due to a failure in the bank’s robust risk and information security apparatus. When the WannaCry ransomware brought the United Kingdom’s National Health Service to a standstill in May 2017, it wasn’t because WannaCry exploited a never-before-seen vulnerability in the Windows operating system; rather, it was a failure on the part of at least 80 health care facilities and 595 general practitioners’ offices to install an available patch to address the vulnerability. The problem in both cases was not the technology but, rather, compounding errors built on erroneous assumptions made by the people operating the systems, technologies and processes.
These human issues derive from deadly assumptions, also known in the field of psychology as “heuristics.” These are mental shortcuts that allow an individual to make a decision, pass judgment or solve a problem quickly. Take a crosswalk, for example. people see the white logo of a pedestrian on a sign and assume that they are safe to cross the street, putting faith in the approaching cars to stop. While these shortcuts are useful in everyday situations, they do not fare as well within complex institutions or processes, as overreliance on these assumptions causes people to overlook problems and possible solutions. When people rely on assumptions, it becomes difficult to know, account for, and examine the shortcuts that their brains are making in the background. Depending on the context, the consequences could be minor, costly or crippling for an organization.
Inventory and Publicize Government Resources Devoted to the Private Sector
As one of its first services to the American people, the Biden administration should inventory all the services and resources already offered by federal agencies to create a single repository or catalogue of services, and then publicize this document as widely as possible across as many outlets as feasible. Readers would be forgiven for assuming that a tool as straightforward as a comprehensive catalogue of the cybersecurity resources, pilots and programs run by various arms of the U.S. government has long been available to the private sector. Unfortunately, this is another of the deadly assumptions that riddle the cyber arena.
Consider the perspective of a chief information security officer (CISO) at a mid-size company, for example. CISOs are tasked with a variety of obligations and duties, ranging from building and deploying a cybersecurity program to actively monitoring for threats. They need to be creative in how they use their limited resources and in how they leverage their existing personnel to maximize the effectiveness of their security. To fulfill this task, the hypothetical CISO will want to look for government resources that can help secure the company—but how will the CISO know where to turn? He or she may learn of existing government programs by chance or by browsing various agencies’ social media feeds, but that’s no guarantee that the CISO will singlehandly discover each government agency’s offerings.
Whether it’s the FBI, the Secret Service, the National Security Agency’s Cybersecurity Directorate, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), or the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, numerous government departments and agencies have devoted tens of millions of dollars over the years to developing tools and programs that help the private sector and academia improve their cyber defenses.
Government-run programs include efforts for participants to share information on cyber threats in real time, services such as free and persistent scanning and assessments run by dedicated teams of cybersecurity professionals, and full-time, government-sponsored forums for private and public stakeholders to meet and share best practices, among many others. While useful, the impact of these programs falls short of their potential when interested parties have to search through the websites of multiple bureaucracies to discover them, if they are even successful. Additionally, without a centralized initiative to consolidate the agencies’ offerings, the stovepipes also ensure that agencies are not aware of potential redundancies in services and investments.
Somehow, a U.S. government catalogue of federal cybersecurity resources still does not exist—four years after the networks of the Las Vegas Sands Corp. were attacked by Iran, six years after Sony was breached by North Korean hackers, and eight years after five of the nation’s largest financial institutions were attacked by an Iranian-originated distributed-denial-of-service campaign. The lack of such a catalogue highlights the glaring gap between the offerings of the government and the needs of the private sector. It also reveals the government’s own deadly assumption that both the general public and the private sector are aware of the various government agencies’ cybersecurity services.
The Biden administration could take a major step forward by creating a tailored catalogue of all the government services, programs and resources available to address the private sector’s cybersecurity needs. This catalogue should be organized by critical infrastructure sectors and other institution types and sizes, such as small retail banks, medium-sized electric utilities or large public universities. It should contain the basic information making each public-facing cybersecurity program useful and accessible to the stakeholder, including the name of the program, a description of the service and its intended customer, as well as contact information for the responsible agency office.
With the right leadership direction, a catalogue of services could be built extraordinarily quickly. Publishing and publicizing this long-overdue catalogue in the first 50 days of the Biden administration would deliver an immediate benefit to private-sector institutions. Large swaths of the private sector lack the resources to build and sustain dedicated cybersecurity teams, and private-sector institutions would be able to better match their needs with the services offered by the government. From the government’s perspective, departments and agencies would more quickly understand the needs of the private sector and be able to better prioritize cyber-related investments.
Clarify National Responsibilities for a Domestic Cyber Incident
Biden’s cyber agenda will need to prioritize improving the federal coordination and response to domestic cyber incidents. To the untrained eye, it might seem like the government has created clear lanes regarding which agencies are responsible for what actions in a crisis. In July 2016, the Obama administration took a major step forward with the release of Presidential Policy Directive 41 (PPD-41)—United States Cyber Incident Coordination. This policy document attempted to streamline the government’s response procedures—but many areas for improvement remain.
Imagine a major electric utility company in Ohio suffered a catastrophic cyberattack, and nearly a quarter of Ohio’s more than 11 million residents are without power. While the CEO is working to bring the system safely back online, it is entirely possible that representatives from multiple departments and agencies either attempt to reach out or appear on site within hours, none of which would be coordinated on the government’s end. The assistance could come in the form of the special agent in charge of the FBI’s Cleveland Field Office offering specialists from the their Cyber Squad, the secretary of homeland security deploying one of CISA’s fly-away teams, the Ohio governor announcing the use of the Ohio National Guard’s cyber teams, or the secretary of defense ordering U.S. Cyber Command to respond to a request by the secretary of energy for Defense Department support.
In the midst of a crisis where lives and livelihoods are at risk, no official will want to be accused of inaction, and the guidance laid out in PPD-41 will quickly be thrown aside in the rush to respond to the cyberattack. Although increased assistance may lead to faster solutions, a surge of various agency personnel may only exacerbate the problem. None of the arriving agency officials will have prior knowledge of the specifics, like what sorts of systems, software, hardware and operational technology a given utility company may have. The utility company’s employees will spend more time bringing all of these people up to speed on what has happened and where the problem could possibly be, than they will in actually getting the power back on.
Broadly, PPD-41 has two critical weaknesses that undermine its objective of ensuring that a government response to a cyber incident is conducted smoothly. The Biden administration will need not only to address PPD-41’s weaknesses but also to ensure that contingencies at various scales are exercised continuously by an ever-evolving set of public and private stakeholders.
PPD-41’s first major weakness is the presumption that the coordinating body, devised of representatives from various departments and agencies, would have the seniority to stay abreast of and direct the actions of their respective organizations. Yet not all government agencies are built in the same way. The FBI exemplifies a highly decentralized organization, delegating immense operational authority and capability to the special agents in charge of its 56 field offices spread across the country. While FBI personnel in Washington, D.C., would be assigned to the coordinating body envisioned in PPD-41, it would be the special agent in charge closest to an incident who would exert operational authority over and direct the FBI agents, analysts and specialists on the scene.
The second major weakness of PPD-41 is its presumption that the federal government would be the only government entity capable of or involved with the response to a domestic cyber incident. However, states’ governors are increasingly empowered, as they command the states’ National Guard forces, many of which have organic cyber-capable teams, trained to the same standards as their active component counterparts. This means that governors, who are under no obligation to adhere to PPD-41, can send National Guard units to the scene of an incident, personnel who would not have coordinators in Washington to deconflict with other agencies on their behalf.
Given the immense statutory overlap in authorities of the ever-growing number of government agencies with cyber equities, there is even more impetus to build a strong, central coordination mechanism. The lack of a single senior coordinator could be filled by the national cyber director, a proposal currently under consideration in Congress, who would serve as the president’s top cyber adviser and reside within the Executive Office of the President. If enacted, a national cyber director would be well situated to look across the interagency to examine holistically the response capabilities of executive branch and independent federal departments and agencies, a review made more necessary before the next incident, vice in the aftermath of one.
Establish Clear Lines of Responsibility for Intelligence Support to the Private Sector
Upon taking office, President Biden should establish the lines of responsibility for the provision of intelligence support to the private sector. Presently, the FBI, the National Security Agency, CISA, the Department of Homeland Security’s Office of Intelligence and Analysis, the Office of the Director of National Intelligence (ODNI)’s new intelligence community cyber executive, and the intelligence components of the sector-specific agencies (for example, the Department of the Treasury for the financial services sector) all have reason to claim this function to be squarely, if not exclusively, within their agencies’ wheelhouses. For example, the FBI bills its InfraGard public-private partnership program as the premier forum for critical infrastructure threat information sharing, while Homeland Security’s Office of Intelligence and Analysis notes prominently that it “is the only [intelligence community] element statutorily charged with delivering intelligence to our … private sector partners,” conducted principally through its Homeland Security Information Network. While the ODNI announced in May 2020 that it was consolidating its cyber-focused offices into a new cyber executive, one of its now-defunct predecessor offices is still prominently advertised on the ODNI’s site as the intelligence community’s “principal substantive advisor for cyber threat intelligence.”
While each of these organizations does play a role in providing intelligence to private-sector owners, operators and stakeholders, the inability of the intelligence community to organically formalize responsibilities for intelligence support to the private sector has resulted in a haphazard and disorganized bureaucratic mess. A combination of factors—the significant overlap in statutory responsibilities of the various agencies, the unique relationships among different individual private institutions and government agencies, and the lack of any interagency coordination and deconfliction mechanism—has fostered this miasma for years. In late 2016, the CEOs of the nation’s eight largest financial institutions came together to request that the government do more to support private-sector critical infrastructure, specifically with the provision of greater intelligence support. While these pleas led to the creation of a new private-sector consortium, the Financial Systemic Analysis & Resilience Center, and subsequent progress in the understanding of risks to critical infrastructure, calls for enhanced and deconflicted intelligence support have persisted. It is the shortfall in senior-level attention and effort to address the underlying issues that enables agencies to pursue business as usual, instead of necessary change.
The lack of substantive progress in coordinating agency efforts not only has frustrated numerous private institutions but also has seen the allocation of agency resources and personnel become highly ineffective. Private institutions have learned it is easier to develop relations with as many agencies as possible and see how that plays out rather than counting on their contacts at various agencies to coordinate their efforts. Numerous anecdotes of private institutions reinforce that this wide-net approach continues to be favored as not all agencies are equally responsive or forward leaning on threat information.
The problem is less that providing intelligence support to the private sector is a conceptually complicated issue to untangle, and more that the issue has never drawn sustained senior attention. By forcing the disparate elements of the national security community to create detailed roles and responsibilities, particularly regarding the provision of cyber-related intelligence, the Biden administration can quickly improve the country’s defenses, while reducing unnecessary duplication of effort. While no single agency can own the entire problem set, the clear delineation of responsibilities as well as a binding strategy for private-sector engagement would be a tremendous step forward from the situation today.
Conclusion
Over the past 15 years and three presidential administrations, the United States has taken major steps to catch up with an evolving security environment, of which cyber threats weigh heavily. Indeed, the United States is still the most capable cyber power in the world. Yet while the nation has leapt forward in its cyberspace capabilities, the U.S. government has missed the refinement of some fundamentals and lost the perspective that cyber is largely a human problem. By recognizing that many of the nation’s cyber challenges have solutions that are human centric, President Biden can address aspects of the cyber conundrum that have not been examined holistically before, including how to effectively deter China and Russia in cyberspace. Apart from those assumptions identified above, the new administration would be well served in examining its own assumptions on cyber matters, to ensure that no aspect of cyber policy is treated as resolved.
Views expressed or implied in this commentary are solely those of the authors and do not necessarily represent the views of the U.S. Military Academy, U.S. Army, the U.S. Navy, the U.S. Department of Defense, the U.S. Department of Homeland Security, or any other government agency.