As the U.S. transitions to a new presidential administration, which can be expected to differ largely from the last, it is hard not to speculate how President Biden’s Administration will reduce the risk of a major cyberattack against the U.S. or her interests. The recent SolarWinds attack, widely attributed to Russian actors, further amplifies the need for improved security and deterrence. Despite my best efforts to come up with a brilliant “thought leadership” piece on what I think the Biden Administration should do, the best answer has already been written and published in March of 2020 as the 2020 Cyberspace Solarium Commission Report.
Co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R - WI), the bipartisan Cyberspace Solarium Commission proactively scrutinized U.S. cybersecurity in much the same way the 2004 9/11 Commission Report reactively assessed failings within the U.S. Intelligence Community (IC) and offered recommendations for sweeping changes. The Cyberspace Solarium Commission, just as the 9/11 Commission before it, made bold recommendations for significant changes that I believe President Biden will likely use as the blueprint for restructuring how America operates in cyberspace. Among the many Cyberspace Solarium Commission recommendations, here are the three I will be watching most closely.
1. Issue an Updated National Cyber Strategy
The Commission accurately assessed that the U.S. Strategy on Cybersecurity is both out of date and plagued by the lack of a single executive owner. The new policy is expected to focus on layered deterrence, resilience, public-private collaboration, and “defend forward.” Those last two items are the ones I would watch carefully.
Public-private collaboration - Increased emphasis on public-private collaboration we will likely ramp up rhetoric of nationalization and accusations of civil rights violations (much like we witnessed with the Patriot Act) and corruption related to how private companies are awarded opportunities for (and profit from) collaboration.
“Defend Forward” - The Commission posited that the U.S. “has not created a credible and sufficient costs” for malicious cyber operations. The new policy is expected to prioritize “proactively observing, pursuing, and countering adversary operations and imposing costs to change adversary behavior” over simply responding to malicious behavior.
If codified in new U.S. policy, this significant change in position and will be simultaneously championed as both a bold move to create meaningful deterrence and harshly maligned as a risky move that could turn cyberspace into a hot battlefield - with real civilian casualties – despite the lack of agreed upon international norms for acceptable behavior.
2. Establish a Senate-Confirmed National Cyber Director
It has already been widely reported that Biden will select Jen Easterly - the former deputy director for counterterrorism at the National Security Agency who served on President Obama’s National Security Council before joining Morgan Stanley in 2017 - for this role.
A West Point grad who studied at Oxford, Easterly is an expert in intelligence and terrorism who brings the added insights of cyber threats to the private sector from her time in the financial sector. Most importantly, in my estimation, is that Easterly is not a policy wonk or technologist. If the national strategy is going to move aggressively forward, the NCD must be someone who understands the implications of war.
As the first NCD, tasked with building and leading the first Office of the National Cyber Director (ONCD), Easterly will be taking on a role like John D. Negroponte’s path as the first Director of National Intelligence (DNI) in charge of the Office of the Director of National Intelligence (ODNI) in 2005. Just as Negroponte needed to address the fragmentation within the IC and establishing a single unifying voice, Easterly “will be responsible for the integration of cybersecurity policy and operations across the executive branch.”
The newly minted NCD will likely have a heavy hand in developing the National Cyber Strategy and then be expected to serve as the single voice uniting the messages of US Cyber Command, Cybersecurity and Infrastructure Security Agency (CISA), and every agency across the U.S. Intelligence Community on all things cyber. Yet the Commission recommended the NCD be forbidden from interfering in the activities of the Department of Defense, the ODNI, the Department of Justice and the FBI. While they should be kept abreast of operations, the NCD will not have the authority to impact activities of those organizations even if their efforts directly conflict with the National Cyber Strategy.
I suspect there will be many interesting conversations between Biden’s new NCD and DNI.
3. Implement policies designed to better recruit, develop, and retain cyber talent
This is where the rubber meets the road in the Cyberspace Solarium Commission’s recommendations. Because, even if all the best strategies and policies are created and uniformly agreed upon across all government and private sector domains (which is doubtful), none of that will matter if the talent to execute does not exist. Quite frankly, the government has a serious problem competing for talent.
Firstly, the U.S. has a massive shortage of cybersecurity talent and an education system proving incapable of keeping up with growing demand. In late 2019, (ISC)2 put the estimated number of unfilled cybersecurity jobs at 4.07 million and stated that the cybersecurity workforce would need to increase “62% to better defend U.S. organizations.” This trend is going the wrong direction. One way to reverse it would be to better address the continuing lack of diversity and inclusion in science and technology. When more people from all walks of life, races, genders, economic circumstances, and backgrounds are given equal access to these fields, the available workforce will increase dramatically. But, while our nation is battling to address the root causes that keep doors to these opportunities closed to far too many Americans, we can only hope the trend against biases and bigotry will continue in the face of strong opposition to changes that many perceive as a threat to their own advantageous positions.
Secondly, the alure of government work has traditionally been patriotism, job security, and long-term financial stability through pensions. But much of today’s premium cyber talent is very distrustful of the government, have seen the term “patriotism” maligned and abused, understand that job security can equal stagnation, and see government retirement savings programs (which replaced pensions) synonymous or inferior to the 401(k) plans offered by most private companies.
In contrast, private enterprise generally offers more attractive opportunities. This often includes better compensation packages and more inviting work environments (modern corporate facilities, increased hybrid and remote work options, unstructured hours, casual dress codes, free food, drink, and entertainment, etc.). In the private sector, opportunities for entrepreneurship are also greater, including ownership stakes in start-up companies. Finally, in contrast to the public sector, the business world represents more freedom. This is exemplified by the freedom to chase big ideas (and fail fast if necessary) as well as the liberty borne of embracing diverse and inclusive lifestyles, including the use of marijuana for medicinal and recreational purposes (in states where it is legal).
That last tidbit may not seem meaningful but as far back as 2014, then-Director of the FBI James Comey told the New York City Bar Association, "I have to hire a great work force to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview.”
Many cybersecurity wizards capable of contributing significantly to the nation have lifestyles that should not be judged by rigid and outdated policies. Things like casual marijuana use should not necessarily disqualify candidates. To attract more of today’s top cyber talent, the government must re-evaluate how it applies federal laws related to marijuana and other hurdles that stand in the way of building top teams. Many standards we still adhere to were developed decades prior to both the modern scientific research on cannabis and the threats posed in cyberspace; a rethink is past due. (Note: As someone who still maintains a security clearance, I have never used marijuana in any form. My position here is about cybersecurity policy; not personal preference.)
While the Solarium Commission offered a laundry list of recommendations for funding, training, recruiting, partnerships between the public and private sectors, and military transition programs, none of those recommendations address the concerns I listed above. The recommendations may create a training ground for talent that will benefit from the growth of their skills and then abandon the government for the private sector, resulting in a revolving door for the government. Perhaps I will be proven wrong on this point. I certainly hope so.