“We are in the midst of a crisis and a top priority must be assessing and mitigating the damage from the massive malicious cyber campaign attributed to Russia for which SolarWinds was one vector,” said Suzanne Spaulding, senior adviser for homeland security at the Center for Strategic and International Studies and a former Department of Homeland Security cybersecurity official during the Obama administration. (The Cybersecurity 202 Network is an ongoing, informal survey of more than 100 cybersecurity and privacy experts from government, the private sector and academia. Some were granted anonymity in exchange for their participation. You can see the full list of experts here.)
Biden has already started working on this. He called for an investigation into the Russian hack and raised concerns about Russian hacking in a call with President Vladimir Putin, though he has not yet committed to any retaliatory action.
But there's still a lot left to do, our experts say. Here are some of their recommendations:
1. Biden should fill out his cybersecurity team.
Two key positions remain unfilled: the White House cybersecurity czar — a Senate-confirmed position newly required by a recent defense bill — and director of the DHS's Cybersecurity and Infrastructure Security Agency.
“The president should quickly announce his nominee for CISA director, press for that nominee to be confirmed quickly, and push hard for Congressional funding for CISA to be able to execute its new threat-hunting authority,” said Bobby Chesney, law professor at the University of Texas at Austin.
“Start establishing the Office of the National Cyber Director,” said Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House cyber czar under President Barack Obama. “While the legislation provides a good foundation, getting it established and making it effective will require significant senior policy attention.”
Filling those roles will be key to recovering from the attack, said Debora Plunkett, a former National Security Agency director of information assurance. “The most important thing the administration can do is to organize the senior-most cybersecurity roles and clearly assign [and] identify responsibilities,” Plunkett said. “There is much work to be done and having the right structures in place will enable the work to be done more efficiently.”
2. The government needs to spend more money on cybersecurity, several experts said.
The recent Russian hack “adds urgency to getting more resources for CISA,” Spaulding said.
Biden has already called for just roughly $10 billion in funding from Congress for cybersecurity and information technology in his coronavirus relief proposal. That includes $690 million for CISA.
3. DHS shouldn't be the only priority, some experts note.
"[Biden is] building a good staff for [the National Security Council] and CISA, but the authority to improve critical infrastructure cybersecurity is spread over several regulatory agencies that will require very pointed oversight and coordination (and maybe some new authorities) to address pipeline, power grid and telecom security,” said Stewart Baker, former NSA general counsel and first assistant secretary for policy at the Department of Homeland Security.
Biden should also “substantially beef up cybersecurity support” for Health and Human Services as it faces increased threats to the coronavirus vaccine data and supply chain, said Greg Garcia, executive director for cybersecurity of the Health Sector Coordinating Council.
The State Department also has a major role to play, they said. “Elevate the State Department's role in cyber defense: It's tempting to focus on NSA, CIA, and DHS, but the administration will need a fresh diplomatic effort to lead international cyber policy initiatives,” said Laura Galante, a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. “State's ability to reshape perceptions of U.S. cyber operations could have outsized effects on Russia and China's actions in this domain and beyond.”
Secretary of State Tony Blinken has embraced cyber diplomacy as a part of the agency's mission. Mark Weatherford, a former top Homeland Security Department cybersecurity official, said bringing back a top cyber diplomat role is key to making it a success.
Chris Painter, who formerly held the role at the State Department, said Biden should “recommit and expand global partnerships to strengthen cybersecurity and a collective response to growing cyber threats,” Painter said. “Of course, diplomacy alone is not a silver bullet, but it's an important part of our cyber defense. ”
4. Partnerships with the private sector could take center stage.
“Improving cybersecurity also means strengthening relationships and the private sector and building partnerships in the tech industry, which is on the front line of fighting this battle every minute of every day,” said Jay Kaplan, co-founder of Synack. “Ethical hackers and researchers inside cybersecurity firms, cloud providers or online retailers understand what it takes to defend against the threat and can help build better cyber defenses.”
That includes joint efforts tackling growing ransomware attacks. “The government will not be able to address this problem on its own,” Daniel said. “Within the first 100 days, the Biden administration should announce a counter-ransomware initiative out of the Office of the [National Cyber Director].”
A Biden administration could also build on growing law enforcement efforts to crack down on cybercriminals. “Subject the criminals behind the ransomware scourge to serious consequences,” said John Hultquist, director of intelligence analysis at FireEye.
5. Biden also should consider investing in innovative techniques, several experts suggested.
Michael Daly, chief technology officer for cybersecurity and special missions for Raytheon Intelligence, is calling for a “National Cyber Moonshot” initiative to boost the defenses of national and critical infrastructure. He's also calling for more investment in “scalable and automated" solutions that can help detect breaches.
Daly is also recommending that Biden “drive Cyber Command and the National Cyber Mission Forces to collaborate with CISA and the NSA to bring more active defense measures in partnership with the private sector to suppress future cyber attacks.”
Marcus Fowler, director of strategic threat at Darktrace, also suggested that Biden should embrace autonomous defense systems that are trained to stop sophisticated attacks without being told what to do by a human. “Deterrence and defending forward are no longer enough to protect against or disrupt the new era of cyberthreats we are facing,” Fowler said.
6. Biden also should look toward international allies, experts say.
The United States won't be able to tackle the challenge from Russia and other adversaries alone, they say.
Kaplan suggested that the United States join the Paris Call, an initiative led by the French government for international allies to combat cybercrimes, as one step toward international coalition-building. “We need the combined strength of our democratic allies to beat back the onslaught of breaches and hacks that are infiltrating sensitive industries, harming health care institutions in the midst of a pandemic and threatening national security,” Kaplan said.
“I would also have the president acknowledge that cybersecurity problems are global problems and will need a globally focused response to be effective,” said Jeff Moss, founder of the Defcon cybersecurity conference. “Do things to reinforce these two positions over the first 100 days to show commitment.”
The bottom line is that “if the president takes cybersecurity seriously then others will take it seriously,” said Moss. “This difference in priorities and tone will do more to advance existing security initiatives than the creation of yet another strategy would.”
“He should signal — in as many ways as practical — that cybersecurity will be a priority for this administration's first 1,000 not just 100 days,” said Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “It's the 1,000-days horizon where concrete progress can be made.”
More highlights from The Network about what Biden can do in his first 100 days:
Maurice Turner, a cybersecurity expert and former senior adviser to the U.S. Election Assistance Commission:
“Reassure Americans that cyberattacks on critical infrastructure by foreign adversaries will not be tolerated. I look forward to the public intelligence community report of attempted cyberattacks targeting elections in 2020.”
Tor Ekeland, managing partner for Tor Ekeland Law PLLC:
“Reset all the government's passwords to 16 characters or more, use 2FA, encrypt encrypt encrypt, air-gap critical networks and train federal employees and contractors on social engineering and best habits to avoid it. In short, do a full cybersecurity audit of the government and make sure the foundations are solid.”
Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center:
“1. Direct that the cybersecurity architecture of the federal government, including Einstein, be modernized to handle zero-day, non-signature-based cyber threats.
2. Direct a review of the security of the supply chain of information technology products. Consider a “supply chain cybersecurity certification” for products purchased by the federal government and critical infrastructure.”
Martin Mickos, CEO of HackerOne:
“Make sure all vital functions of society — government agencies, NGOs, corporations — establish vulnerability disclosure policies. A VDP describes the activities that can be undertaken to find and report vulnerabilities in a legally authorized manner. Such policies enable the owners of systems to remediate vulnerabilities before they can be exploited by an adversary to immense public benefit.”
Peter Swire, senior counsel at Alston & Bird:
“Strict security measures can be difficult to adopt because they often create inconvenience for users. The administration can send helpful signals by visibly choosing better security over convenience in one or more early decisions.”
John Pescatore, director of emerging security trends at the SANS Institute:
“Task the FCC to require all telecoms and Internet service providers to block all well- known and commonly agreed-upon malware and attacks as part of looking at the overall issue of social media and telecoms' content responsibility. As a minimum, announce that the U.S. government will require such filtering on all government-procured telecoms and Internet/cloud services … The goal is to immediately start using the buying power of the U.S. federal government to drive higher levels of security in the market.”
Katie Moussouris, founder and CEO of Luta Security:
“To strengthen the U.S. readiness for both cyber offense and defense, the Biden administration must perform a detailed risk assessment of not just high value targets, but also a comprehensive cyber workforce study to determine what types of job roles we need and where our cyber workforce shortages are causing the most damage.”
Tony Cole, chief technology officer at Attivo Networks:
“A focus on education in the U.S. on cybersecurity issues and disinformation is also required to help Americans.”
Eva Galperin, Electronic Frontier Foundation’s director of cybersecurity:
“Support strong end-to-end encryption.”
Suspected Russian hack went far beyond SolarWinds, investigators find.
Around 30 percent of the victims linked to the attack did not have a direct connection to SolarWinds, acting CISA director Brandon Wales told the Wall Street Journal’s Robert McMillan and Dustin Volz.
Wales said that hackers compromised some victims before SolarWinds rolled out its corrupted Orion software early last year. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign,” Wales said.
Investigators said that the hackers guessed passwords and exploited other vulnerabilities in unnamed companies’ software. Wales called the attackers “creative,” noting that “we continue to maintain that this is an espionage campaign designed for long-term intelligence collection.”
Congressional Democrats are pressing the NSA for answers on the 2012 Juniper cyberattack.
Sen. Ron Wyden (D-Ore.), Sen. Cory Booker (D-N.J.) and eight House Democrats want to know what the National Security Agency is doing to protect the federal government from supply-chain breaches, including the 2020 cyberattack on SolarWinds and other software.
In a Friday letter to NSA Director Paul Nakasone, the lawmakers asked about the NSA’s role in creating the technology exploited by hackers who infiltrated Juniper Networks in 2012. The hack, which US officials say was probably conducted by a foreign government, affected the company’s popular VPN and firewall software.
Last year, Wyden and a slew of lawmakers asked Juniper to tell them about the hack and investigation. Brian Martin, an executive at the firm, responded by denying that the company does not insert back doors into its products.
After cyberattack on courts, lawyers are changing how they file sensitive documents.
They’re being forced to file sensitive documents the old-fashioned way: printing and hand-delivering them to courthouses, the AP’s Maryclaire Dale reports.
The courts’ criminal, civil and bankruptcy systems were breached as part of the SolarWinds cyberattack. The Foreign Intelligence Surveillance Court system, which handles sensitive national security warrants, is not thought to have been compromised.
“I fear that we do not know how Russia could take advantage of the access and information it may have obtained, and we likely won’t know until it’s far too late,” Sen. Richard Blumenthal (D-Conn.) said. “The cleanup of this breach will be extraordinarily difficult ..., but we cannot cut corners and just hope that the Russians left.”
Rep. Michael McCaul (R-Tex.) will reintroduce cyber diplomacy bill.
The House Foreign Affairs Committee's ranking Republican, Michael McCaul (Tex.), plans to reintroduce a bill to create a cyber office for the State Department, which the House passed in 2018, the Hill’s Maggie Miller reports.
House cyber panel gets a new leader.
Rep. Yvette D. Clarke (D-N.Y.) will lead the House Homeland Security Committee’s cybersecurity subcommittee, Chairman Bennie G. Thompson (D-Miss.) announced Friday.
Clarke, a member of Congress since 2007 who has led the panel before, will oversee it as it looks into the fallout of the cyberattack that hit SolarWinds and other companies. And Rep. Elissa Slotkin (D-Mich.), a former CIA analyst and Defense Department official, will lead the intelligence and counterterrorism panel.
National security watch
Biden gets a new intelligence briefer.
Longtime CIA analyst Morgan Muir will brief President Biden, the New York Times’ Julian E. Barnes and Adam Goldman report. Muir, who briefed President George W. Bush, will probably work with additional briefers.
- Chris DeRusha, President Biden’s new federal chief information security officer, speaks at the “Identity, Authentication, and the Road Ahead” virtual conference, which is being held on Thursday and Friday.
- Reps. Bill Foster (D-Ill.) and John Katko (R-N.Y.) also plan to speak at the event, along with Michael Mosier, the deputy director and digital innovation officer at the Financial Crimes Enforcement Network.