Since January 20th, the Biden administration has been focused above all else on tackling Covid-19 and passing a landmark economic relief bill. This is unsurprising. In the context of a global pandemic, with an urgent vaccine rollout taking place, the US government must prioritise tackling Covid-19 and its economic consequences. However, President Biden has a raft of additional problems waiting at his doorstep. In particular, the US faces a two-pronged cybersecurity crisis: the impact of a vast cybersecurity breach known as the SolarWinds attack that was likely perpetrated by Russian intelligence, coupled with the fallout from Trump’s ‘legacy of cyber confusion’.
This leaves Biden with three tasks. First, he must deal with the immediate consequences of SolarWinds: identifying what data has been compromised and doing everything possible to patch exploited systems. Next, he must hold Russia accountable and engage with the private sector: building closer collaboration with partners outside of government to enhance system-wide cybersecurity. Finally, he must contend with the wider inheritance from the previous administration: responding to Trump’s absent cybersecurity strategy and articulating his own vision for how the US views this crucial policy area. This article addresses these points and presents a blueprint for the Biden administration’s cybersecurity policy going forward.
Confronting the SolarWinds Fallout
Most cybersecurity experts agree that Biden’s top cybersecurity priority should be dealing with the fallout from the SolarWinds hack, uncovered in December 2020. In this simply staggering attack, Russian intelligence services successfully infiltrated the computer networks of hundreds of US government agencies and private companies by placing malicious code into an update of the Orion software owned by the company SolarWinds. The hackers were able to evade detection for months on end by masking the attack as ordinary network activity. When this cyberattack was finally uncovered, it was identified by a private cybersecurity firm, FireEye, not the NSA or any other branch of US law enforcement.
This was an astonishing breach, representing a shocking failure of national cybersecurity. The pandemic and Trump’s impeachment may have diverted this topic from the front pages, but Biden must give this problem the attention it deserves. This means identifying the scale and extent of the breach, given that its exact impact across the private and public sector still remains unknown.¹ It also means quickly patching systems to ensure they are no longer compromised, do not continue to present threats to other networks, and can hold new data securely. In short, Biden’s first task is to stop the bleeding.
Holding Russia Accountable & Working with the Private Sector
In the medium-term, Biden must be cautious in how he decides to hold Russia accountable for its actions. A full review by the US government’s Intelligence Community (IC) is ongoing, which ought to reveal more about the impetus behind SolarWinds, but a response should be formulated earlier than this. Any major retaliatory effort, while attractive to Russia hawks, will likely come with substantial downsides: notably the possibility of further, destabilising actions against the US in cyberspace. It may be that some combination of sanctions, highly-targeted cyber actions, and public attribution is Biden’s path. This may not be perfect, but it holds Russia somewhat accountable without inducing escalation.
In addition, Biden needs to build close collaboration with private partners. It is significant that SolarWinds was exposed by the private firm FireEye, rather than a government agency. Private firms inevitably play a central role in cybersecurity policy. This is partly due to the expertise of tech-centred businesses, with Big Tech and private cybersecurity companies holding skills which government agencies find harder to acquire. But it is also a function of value, given the wealth of intellectual property held, and thus defended, by leading US corporations. Thus, building closer links with business must be a key pillar of US cybersecurity policy. In particular, Biden should focus on enhanced, two-way information sharing with key private sector partners to improve cyber threat detection across government and private networks.²
Defining the US Vision of Cybersecurity Policy
Beyond this, Biden must take on a more nebulous and arguably more challenging task: articulating a coherent vision of how the US approaches cybersecurity. Tackling SolarWinds is important – as is holding Russia accountable and working more closely with the private sector – but this is not a vision by itself. Instead, a US vision of cybersecurity should explain several things: what needs to be secured, how it should be secured, and who should be involved in this task, whether domestically or through international alliances.
Under Trump, the answers to some of these questions, especially the last, were unclear. Biden should seek to define how the US views cybersecurity in unequivocal terms, in a public setting. Does the US want a closer public-private partnership or will government keep intelligence to itself? Are international partners vital to ensuring cybersecurity? And how does the US view cybersecurity—whether construed in offensive or defensive terms—in contrast to other leading powers like Russia and China? Offering this kind of vision, though not easy, is an eminently achievable goal. It is, indeed, an approach that matches Biden’s wider ambition to reassert America’s status as a global leader. Still, it requires a clear and consistent message around what exactly the US wants and means by cybersecurity, as well as what it wants to avoid.
The Biden administration undoubtedly faces a tricky task on cybersecurity. The SolarWinds attack, despite a relative absence of media coverage and political attention, is an extremely serious breach: one which will require concerted effort to tackle successfully. At the same time, Trump has left a terrible legacy for Biden to build upon, reflecting an approach to cybersecurity policy that was characterised by strategic confusion and a lack of transparency.
Nonetheless, all is not lost for Biden. As this article shows, if he can make progress on these three major tasks—confronting the short-term fallout from SolarWinds; holding Russian accountable and re-engaging the private sector; and articulating a coherent vision in the long-term—he will be well on-track to developing a successful cybersecurity policy for the US.
1. See: https://whatis.techtarget.com/feature/SolarWinds-hack-explained-Everything-you-need-to-know.
2. Something proposed in recent times by the bipartisan Cyberspace Solarium Commission: https://www.solarium.gov/report.