Dec 2, 2020 - Politics & Policy

Setting the Biden-era cybersecurity agenda

a tech-looking flag with biden's name in a search box over it

Illustration: Annelise Capossela/Axios

The Biden administration will face a wide array of cybersecurity challenges but can take meaningful action in at least five key areas, concludes a new report by the Aspen Cybersecurity Group.

Why it matters: Cybersecurity policy is a rare refuge from Washington's hyperpartisan dysfunction, as shown by the recent work of the bipartisan Cyberspace Solarium Commission. President-elect Joe Biden should have a real opportunity to make progress on shoring up the nation's cybersecurity and cyber capabilities without bumping up against a likely Republican-controlled Senate.

Where it stands: Per the report, these opportunities include creating a more cyber-ready workforce, fortifying the “public core” of the internet, boosting supply chain security, developing new systems to measure cybersecurity, and enhancing public-private collaboration on shared cybersecurity interests.

  • The Aspen group behind the report features current and former government officials — Republicans, Democrats and apolitical national security experts — and private-sector leaders, including former Deputy DNI Director Sue Gordon, former homeland security adviser Lisa Monaco and former NSA Director Keith Alexander, among others.

How it works: The report recommends concrete actions on each front that the Biden administration could take, often in concert with Congress. Here some of the key recommendations.

1. Education and workforce development: Biden could seek new federal funding for grants to support organizations that help increase the participation of underrepresented communities in the cybersecurity field, as well as funding to develop a nationwide K-12 cybersecurity curriculum.

  • Those and other measures could help close the "supply gap" in cybersecurity positions, the report concludes, which has left more than 520,000 jobs open in the field, in part due to gaps in diversity, equity and inclusion in the cybersecurity space.

2. Securing the internet: Biden could designate space, including the commercial space sector, as critical infrastructure, in order to make government actors freer to intervene to harden the next generation of technology powering the internet, some of it poised to be satellite-based.

  • There should also be a "single interagency strategy," the report contends, on securing that interconnected agglomeration of hardware and software, known as the internet's public core.
  • And Biden could create a new assistant secretary position in the State Department aimed at working with other countries on cybersecurity issues.
  • As it stands, the fragmentary and piecemeal evolution of the internet has left much infrastructure with critical unaddressed vulnerabilities, says the report.

3. Securing supply chains: The incoming administration could require device makers to label their products with alerts about potential insecurities, particularly in Internet of Things devices.

  • It could also fund "critical technology testing centers" where the private sector could check for security flaws. And it could help support more open-source software, which would open technology to more security scrutiny.

4. Measuring cybersecurity: Biden could, among other initiatives, establish a "Bureau of Cyber Statistics" to track and provide statistical data to policymakers and the public, as well as have the Department of Homeland Security form a working group on cyber risk that brings in the insurance industry and modeling experts to better work out potential pricing schemes for cyber insurance.

  • The report says that “today, the federal government lacks the most basic, reliable data” on a wide range of critical issues like cyberattacks.

5. Operational collaboration: Biden has a chance to spur more cooperation among law enforcement, intelligence agencies and private companies to take on cyber criminal syndicates and plan for major cyber threats. He could seek to establish a Senate-confirmed “National Cyber Director” to coordinate all cybersecurity policy across the U.S. government and liaise with the private sector, an idea previously floated by the Cyberspace Solarium Commission.

  • He could also ramp up incentives for federal law enforcement to disrupt cyberattacks and cyber crime and create an exchange program for private security and government cybersecurity employees.

What’s next: The new national cybersecurity agenda — as well as ransomware, disinformation, supply chains, China and more — will be part of the discussion at this week’s Aspen Cyber Summit, now underway.

Go deeper