Biden cyber legacy defined by AI, China and software security

Driving the news: Neuberger, deputy national security adviser for cyber and emerging tech in the White House, is leaving her role Friday ahead of the inauguration.

• Her last few weeks have been busy: She spearheaded the administration's second cyber executive order, which was signed yesterday; traveled to CES last week for the launch of the U.S. Cyber Trust Mark program; and published a Foreign Affairs piece Wednesday about artificial intelligence's influence on global espionage.

The big picture: In one of her final interviews as a Biden official, Neuberger told Axios that China, AI and software liability were the three tentpoles of her office's work over the last four years.

• The discovery that China has been lurking inside U.S. power utilities, water systems, online communications and more for years forced the Biden administration to double down on creating minimum cyber requirements for companies, she said.
• Neuberger also pointed to the administration's work to tap AI for cyber defenses, as seen in the 2023 AI executive order (which Trump has promised to rescind) and this week's cybersecurity order.
• The Biden administration introduced the idea of holding software providers liable for the security flaws in their products — a project that officials admittedly knew would take nearly a decade to fully implement.

Flashback: Neuberger is the only senior cyber official who has been on the job since Day 1 of the Biden administration.

• When Biden took office, his team also took over the response to the Russia-backed intrusion of SolarWinds, which affected at least nine federal agencies and 100 companies.
• Then, Russian ransomware gangs went on a summer rampage through U.S. infrastructure, targeting the country's largest refined products pipeline, a meat production facility and a widely used IT vendor.
• The only time Biden and Russian President Vladimir Putin ever met in person was primarily to discuss ransomware.

Now, the new Trump administration is coming in as the U.S. government is responding to a range of China-backed cyberattacks on government networks.

• Neuberger is one of only a handful of people in the world who understands that feeling.

• Her advice to those replacing her: "Use the power of procurement, use the rules around what we buy," she said, and "keep [the products we buy] regularly updated because adversaries' offensive techniques evolve and our defenses have to continuously be updated."

By the numbers: The Biden administration made a lot of strides in bringing certain critical infrastructure sectors up to speed, Neuberger said.

• 100% of U.S. pipelines now meet baseline cybersecurity requirements that were put in place following the 2021 Colonial Pipeline attack.
• 70% of railways now comply with their own new baseline requirements.
• 60% of airports also are following new requirements as of this week, she added.

Reality check: The Biden administration still hit a few legal hurdles when trying to implement its agenda.

• To avoid this, Neuberger said, the incoming administration and new congressional leaders should take the time to ask each agency what it needs to make securing its sector easier — "whether that's resources, whether that's ways to attract or retain top talent, whether that's deeper ties to the intelligence community," she said.

The bottom line: Neuberger is hopeful that much of her team's work will remain intact, since cybersecurity has mostly remained a nonpartisan issue.

• "We've got to continue to do more to make defense continuously, rapidly evolving and never rest on our laurels," Neuberger said. "We know attackers are never resting."

Go deeper: Biden signs executive order on AI and software security