After what felt like a lengthy and tortuous transition period, Joe Biden became the United States’ 46th president on the 20th January 2021. Whilst some feel relieved and others disgruntled by the result, one thing is abundantly clear: the renewed and elevated focus on cybersecurity under a Biden administration is certainly promising.
It is not news that the United States is becoming increasingly vulnerable to cyber threats; the recent SolarWinds and Microsoft attacks so aptly epitomises the extent of the vulnerability of, not only the US, but the entire world. Our ever-increasing dependency on technology also suggests that the impact of the threat will grow accordingly, which can be demonstrated by our reliance on technology during the COVID-19 pandemic. Indeed, the survival and maintenance of our livelihoods, relationships and education, to name a few, currently depend on our access to technology. As both Artificial Intelligence (AI) and the Internet of Things (IoT) come to greater fruition and almost every part of our lives are inextricably connected to technology – from the appliances in our homes to our modes of transport – US citizens will also no doubt become dangerously susceptible to disruptive hacks. Looking forward, an elevated cybersecurity focus is absolutely necessary to appropriately protect US intellectual property, prevent psychological and physical damage to its people and their property and to preserve the US’ status as a major player on the world stage.
Four Years of Cybersecurity Under Trump
As one of the most serious threats facing the US, cybersecurity should be dealt with earnestly and should never have taken the backseat that it has in recent years. Despite this, skepticism surrounding cybersecurity in the US since the beginning of Donald Trump’s presidency was rife, and rightly so. Trump consistently failed to acknowledge or confront the Kremlin interference in the 2016 election – to the extent that it was considered a hallmark of his presidency – posing an enormous threat to the fabric of US democracy. The Mueller report conclusively found that Russia executed ‘a social media campaign that favoured presidential candidate Donald J. Trump and disparaged presidential candidate Hillary Clinton’ and attempted to sow mass discord across the US.
To put it into perspective, when two Russian hacking groups, Cozy Bear and Fancy Bear, hacked the Democratic National Committee (DNC), Trump was quick to state that ‘’it was the DNC that did the ‘hacking’ as a way to distract from the many issues facing their deeply flawed candidate and failed party leader’’ prior to any real investigation or analysis. This was soon found to be untrue. Worse yet, Trump had actively urged Russia to leak Hilary Clinton’s ‘missing emails’. Seemingly, Trump was more concerned with his relationship with Vladimir Putin than the security of the country he was presiding over. Or was he concerned that confronting and acknowledging this interference would highlight that his electoral victory was not so victorious after all?
More recently, Trump flippantly blamed China for the SolarWinds attack, in light of evidence that pointed to Russia, and tweeted ‘’Russia, Russia, Russia is the priority chant for when anything happens because Lamesteam is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!).’’ Again, this is completely misaligned with what his own Secretary of State and intelligence community had said which demonstrates a complete lack of coherence in the administration where cybersecurity is concerned. Sadly, in many ways, cybersecurity clearly suffered grave negligence under the Trump administration.
The evolution of ‘’defend forward’’ under Biden?
Nonetheless, Trump’s cybersecurity strategy is likely to leave somewhat of a legacy and its more active and bold tone is likely to evolve under the Biden administration. This can be inferred from the Biden-Harris statement that was released in the wake of the SolarWinds attack whereby they echoed much of defend forward and stated that “a good defense isn’t enough’’. Specifically, one concept from the Trump administration’s cyber vision that is likely to mature is persistent engagement – that is, the idea that by continuously contesting an adversary and ‘forcing them to expend more resources on defence and rebuild capabilities’, the adversary becomes less effective and the offender achieves superiority. Persistent engagement could help in the construction of norms of acceptable and non-acceptable behaviour in cyberspace through a process of tacit bargaining because states can gauge an understanding of adversaries’ so-called red lines. Therefore, it could prove to be a useful method for creating deterrence structures within cyberspace going forward. Although, as the Biden administration seeks to strengthen its offensive capabilities, it should consider that prepositioning and reconnoitring in an adversary’s network could also have undesirable escalatory effects. This raises the important question of how the US would de-escalate if escalation occurred?
Biden Takes the Baton: A Hopeful Future for Cybersecurity?
Even in the early stages of Biden’s presidency, Biden has demonstrated a much more earnest attitude towards cybersecurity. This is clear in Biden’s orchestration of a strong cybersecurity team which has been endorsed by many public and private sector individuals and was referred to by Tom Burt, the vice president of Microsoft, as ‘’world-class’’. Biden has also demonstrated a willingness to confront adversaries rather than ‘’sit idly by in the face of cyber assaults’’ which, as we have discovered, stands in direct contrast to Trump’s approach to confrontation (or lack thereof). Promisingly, Biden’s National Security Advisor, Jake Sullivan, has also made it clear that the administration is willing to use a combination of seen and unseen tools and ‘’ensure that Russia understands where the United States draws the line on this kind of activity.’’
Another reassuring factor is Biden’s desire to work with other countries and nurture stronger bilateral and multilateral partnerships after a period of neglect to help mitigate the threat. Due to the permeable nature of cybersecurity which ultimately knows no borders and is therefore an inherently team sport, this is a promising prospect. As Charlie Croom once said, “we all have knowledge and experiences that when shared make us better than we individually could be’’ and this is especially applicable where states and cybersecurity are concerned. In particular, the emergence of cyber diplomacy will be a crucial part of fostering a sense of team spirit among states by guaranteeing constant dialogue and in turn, preventing unnecessary escalation or wrongful attribution. However, under Trump, the US’ cyber diplomacy efforts were negatively impacted by Rex Tillerson’s decision to abolish the Office of the Coordinator for Cyber Issues. Fortunately, it is likely that Biden will enlist Jen Easterly as National Cyber Director, as a part of the Executive Office of the President, raising the profile of cybersecurity as a clear priority. The hope is that Easterly will then be able to coordinate the government’s cyber capabilities and bolster the US’ cyber diplomacy through her efforts.
One aspect that could have made Biden’s cybersecurity approach more encouraging is the appointment of more private sector experts. Those set to be in leadership positions are largely from the public sector which is wildly disproportionate to how much of the US’ internet infrastructure is owned by the private sector, which is the vast majority of it. Therefore, a fusion of public and private sector expertise would be more representative of this dynamic and provide a richer pool of knowledge. It would also help to create a more effective channel of communication between the two whereby threat information can be shared more easily and effectively. Importantly, appointing more individuals from the private sector would likely provide an opportunity to bring greater clarity to the public-private partnership in the US, as ‘there are no clear statements outlining legal authority, responsibility and rights across the diverse set of relationships that the government maintain with the private sector’. Ultimately, this would provide direction and confidence to the public and private sector to make definitive decisions within their remits of responsibility.
Overall, if there is anything that we can conclude from this, it is that losing Trump will hopefully be a triumph for cybersecurity in the US. A revived focus on cybersecurity and the employment of offensive and defensive measures from a world-class team of experts means that projections for the future of cybersecurity in the US are largely optimistic. However, in the absence of private sector appointees, it is hoped that the Biden administration will make serious efforts to nurture a stronger public-private sector partnership in other ways going forward. Ultimately, the Biden administration’s responses to the SolarWinds and Microsoft attacks should paint a much clearer picture of what cybersecurity will look like for the US in successive years.
Harriet is an MA National Security Studies student at King’s College London and a recent Politics and International Relations graduate. Her final year dissertation explored the UK’s decision to renew Trident and was titled ‘Chasing Status: was status the dominant driver of the UK’s decision to renew its Trident nuclear deterrent in 2016?’ Her broader writing interests include cybersecurity strategy and policy, radicalisation, counter-terrorism, status and emotions in an International Relations context and non-proliferation.