In-the-News: Politico's "Cyber Under Biden"

This article originally appeared in The Politico, November 9, 2020.

Compared with issues such as immigration and health care, cybersecurity is one of the policy areas least likely to see dramatic change during Joe Biden's presidency — but that doesn’t mean he will simply maintain the status quo.

If the president-elect's victory holds, he instead is likely to bring a more organized, focused approach to cyber issues such as election security, critical infrastructure protection, 5G supply chain issues and intellectual property theft, according to cyber policy specialists from a range of disciplines. They predict better international engagement and more interagency coordination, a dramatic break from President Donald Trump’s isolationist agenda and chaotic bureaucracy.

“What you'll see is a recommitment to cyber being an important issue,” said Chris Painter, who held formative cyber positions at the White House, the Justice Department and the FBI before serving as the U.S.’s top cyber diplomat from 2011 to 2017. “He’ll take the good things that have happened, and he’ll make them more consistent and strategic.”

As Biden’s campaign-trail rhetoric made clear, he also intends to break with Trump rhetorically on Russian election interference and embrace the career professionals of the U.S. intelligence community — areas where policy observers say presidential action has been absent or counterproductive in recent years.

But Biden will also likely to build on bipartisan work that began under Trump. For example, he’s expected to continue confronting China over its expansionist agenda, maintain the expanded authorities of U.S. Cyber Command’s online army and help bolster DHS’s two-year-old cyber agency.

James Lewis, the senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies, predicted that Biden would marry “a high degree of continuity” with “a lot smoother implementation.”

Cyber was never a top priority for Trump, who famously told an aide that “all your cyber shit” would “get me in a war,” according to Bob Woodward’s book “Fear.”

By contrast, Painter said, Biden understands that prioritizing cyber issues is key to protecting America’s national security.

A night-and-day difference on Russia

Biden’s biggest break with Trump on cyber policy will likely be over the issue that has shadowed Trump since the 2016 campaign: The Russian government’s interference in U.S. elections and its other aggressive cyber operations, several of which federal prosecutors recently detailed in an indictment of six Russian intelligence officers.

Biden, a former Senate Foreign Relations Committee chairman, has been vocal in recent months about the threat that Moscow poses to Western democracy, and as vice president, he saw firsthand how the Kremlin uses digital attacks to advance its interests. “He understands that it's immediate, he understands that it's ongoing, he understands that it's really existential,” said Evelyn Farkas, who served as deputy assistant secretary of defense for Russia, Ukraine and Eurasia from 2012 to 2015.

Unlike Trump, Farkas and other policy experts said Biden will not hesitate to confront Moscow over its cyberattacks and its interference in other countries’ elections.

During the Trump administration, agencies such as the Treasury Department and U.S. Cyber Command have occasionally struck back against Russian hackers with sanctions and digital disruptions, but Trump has undercut these efforts by dismissing Russian aggression and labeling election interference a “hoax.”

By contrast, Biden seems likely to champion those agencies’ work to deter Russian aggression.

“I suspect he will look for ways of making Russia pay for its activity in both the 2016 and the 2020 election,” said Richard Clarke, who served as the top cyber adviser to Presidents Bill Clinton and George W. Bush.

Election security: No longer taboo

Election security was a third-rail issue for Trump, who saw it as a suggestion of his illegitimacy, but Biden has given indications he will embrace the issue.

“He will bring deterrence to the forefront of an election security policy,” said Jake Braun, the executive director of the University of Chicago’s Cyber Policy Initiative and a co-organizer of the Voting Village at the DEF CON hacker conference. “The overarching principles by which he’s going to approach this make a huge difference.”

Expect Biden to be more personally involved in and supportive of discussions about protecting election systems and combating disinformation, Braun said.

Perhaps most important of all, Biden will almost certainly continue discouraging, rather than amplifying, conspiracy theories that threaten America’s political stability. Disinformation analysts consistently describe Trump’s promotion of discredited falsehoods as a major threat to election integrity.

The biggest political fault line in election security is whether Washington should more directly regulate voting equipment and security procedures. State and local officials jealously guard their existing authority, and Republicans overwhelmingly support this states’-rights model, but many Democrats say the current patchwork system creates unnecessary risks.

Congress has approved several rounds of federal election funding with almost no strings attached. It is unclear whether Biden will push to attach conditions to future funding, though he is unlikely to embrace House Democrats’ ambitious regulatory plans because doing so would upset state officials and moderate lawmakers. Braun said Biden might support an election security program modeled on the Obama Education Department’s “Race to the Top” competitive grant initiative.

Left hand, meet right hand

With the Trump White House constantly embroiled in scandal, federal agencies have largely managed their cyber activities without central coordination over the past few years. Biden will almost certainly change that and introduce a more organized approach.

“You're not going to see the president with one attitude and the agencies with another,” Clarke said.

Whereas the Trump administration eliminated the cyber coordinator position in the National Security Council, Biden is likely to bring it back. He might even support the Cyberspace Solarium Commission’s recommendation of a National Cyber Director inside the White House, a cyber analog to the Office of the U.S. Trade Representative, according to Clarke. Either approach would reinvigorate a currently sclerotic NSC.

Mending ties with the nation’s spies

Biden’s approach to the intelligence community is likely to be the polar opposite of Trump’s, which will heal relationships that are vital to protecting the country from cyber threats.

“The intelligence community will definitely take a relieved breath of fresh air” now that Biden has won the election, Farkas said.

Unlike Trump, Farkas said, Biden understands both the value that intelligence provides to policymakers and the importance of protecting classified material.

A return to the world stage

Given Biden’s experience with foreign policy and his gregarious temperament, his administration is likely to enthusiastically engage with foreign partners, including the U.S. allies whose support will be vital to the development of “rules of the road” for cybersecurity and the collective deterrence of malicious online activity.

The Trump administration was occasionally successful in convincing other countries to join in making cyber announcements, such as the attribution of the NotPetya malware to the Russian government. But under Trump, the State Department downgraded its cyber diplomacy office and dragged its feet in creating a bureau to replace it. Meanwhile, Trump’s “America First” doctrine and his appointment of officials such as Mike Pompeo and Ric Grenell grated on longtime allies.

“If you're pushing away your allies … in various trade and other disputes with them,” Painter said, “it makes it harder to get those allies to coalesce around issues like cyber.”

Farkas said she expects this situation to improve quickly under Biden, who “understands clearly how the international order advances U.S. interests.”

Added Clarke, “I would expect the Biden administration to try to do as much multilaterally as possible.”

During a virtual finance event on Nov. 1, Biden promised to “host a summit of the democracies” to address election security and other issues in his first year.

Embracing the new cyber army

One of the Trump administration’s most significant cyber policy decisions was elevating U.S. Cyber Command’s position within the military and granting its leader, Gen. Paul Nakasone, the unilateral authority to launch digital attacks. Former President Barack Obama insisted on signing off on every such strike, an arrangement that many cyber policy watchers say was unnecessarily constrictive.

Biden is not likely to return to Obama’s approach. He told The New York Times that a presidential order should not be required to launch cyberattacks against foreign countries. And Nakasone is well regarded, so Biden will likely trust his judgement, said Lauren Zabierek, a former U.S. intelligence analyst who now directs the Harvard Belfer Center’s Cyber Project.

Some of the people under consideration for White House and Pentagon jobs under Biden “have good relations with Nakasone,” Lewis said, “so they might be more amenable to keeping the relationship kind of the way it is now.”

Continuing to confront a cyber menace

Biden is also likely to maintain Trump’s hard line against China, even if he doesn’t focus on its cyber aggression. Beijing is responsible for some of the most serious cyberattacks in U.S. history, including the 2015 hack of the Office of Personnel Management.

Even so, Biden might not push companies as hard as Trump did to leave China, and he might not be as eager to use supply chain security regulations to carve out an economic and technological order that excludes Beijing.

“There’s general agreement that China poses a risk and that you need to do something about that,” Lewis said. “What there isn’t agreement on is, how far do you want to go with decoupling?”

In 2015, China promised the U.S. that it would stop deploying its hackers for economic espionage. It mostly abided by that promise during the final year of the Obama administration but resumed these activities when relations soured under Trump.

Biden, who supported the negotiating strategy that led to the deal, may try to revive it, Clarke said.

Reinforcing the newest federal agency

One of the most important Trump-era cyber reforms was the 2018 transformation of a DHS division into the Cybersecurity and Infrastructure Security Agency.

CISA quickly became one of the key cogs in the federal cyber community, building strong relationships with the operators of the nation’s critical infrastructure, including election officials. It oversees the defense of federal networks from hackers and helps the owners of vital commercial infrastructure secure their systems. Its director, Christopher Krebs, is widely respected across party lines and throughout the private sector. While Trump’s immigration policies have plunged the rest of DHS into turmoil, CISA has avoided the political fray.

Biden will likely let CISA continue doing its important work, Clarke said, and support bipartisan calls for increasing CISA’s funding and authority.

One of Biden’s most important cyber decisions will be replacing Krebs. CISA “is clanking along enough now that it can do its job no matter who's on top,” Lewis said, but “it would be better if they had a strong leader. There’s things that need to be improved, and you need a strong leader for that.”

Picking a new CISA director could be one of Biden’s biggest cyber-related challenges. “The names I've heard suggest that it's going to be hard to replace Chris,” Lewis said. “There may not be that many candidates in the wings who could do that [job].”

To view online:
https://subscriber.politicopro.com/cybersecurity/article/2020/11/cyber-under-biden-similar-policies-but-a-much-higher-priority-2016136