At a glance.
- Early speculation about the Biden Administration's cyber policies.
- The Trump Administration's last EO on cybersecurity.
- The World Economic Forum forecasts a spooky near future, with much cyber risk.
Cyber policy in a new US Administration.
President Biden was inaugurated yesterday, and several senior appointments to cybersecurity posts have been made (pending, where required, Senate confirmation). CyberScoop reports that Michael Sulmeyer, who's held senior cyber jobs under both the Obama and Trump Administrations, will serve as senior director for cyber in the new White House staff. He's most recently served as a senior advisor to General Nakasone, Director, National Security Agency, and Commanding General of US Cyber Command. (His new post will apparently not be the "cyber czar" recommended by the Cyberspace Solarium and mandated by the most recent National Defense Authorization Act. That post remains to be filled.)
Prospective cabinet-level appointees have been answering Senatorial questions about cybersecurity. Prospective Secretary of Homeland Security Alejandro Mayorkas told the Senate Homeland Security Committee that he intended to make cybersecurity "a priority." Meritalk quotes him as suggesting that CISA in particular would stay the course it set under its first director: "CISA must improve the cyber hygiene of the Federal government for the many departments and agencies throughout it. It must strengthen the public-private partnership, not only for the benefit, of course of the Federal government, but for the benefit of the private sector itself." He also gave the Cyberspace Solarium Commission a favorable nod: "I take stock of the fact that the Solarium Commission’s recommendation for a National Cybersecurity director was passed. I think this is going to require an all of government approach, and there’s a great amount that will rest on the shoulders of CISA.”
According to the Wall Street Journal, Avril Haines (now confirmed as Director of National Intelligence) indicated that the widely accepted judgment that China, Russia, Iran, and North Korea represent significant international adversaries in cyberspace is likely to continue. Haines disclaimed any unusual focus on domestic extremism, but the New York Times reports that she did say the Intelligence Community would under her watch look closely for signs of foreign influence over domestic radicalization.
And retired general Lloyd Austin, nominated for the post of Secretary of Defense, told Senators that he favored a continuation of what C4ISRNet calls "a proactive and assertive approach to thwart cyber actors," which sounds like an endorsement of persistent, forward engagement. Both Haines and Austin advocate closer Government-industry cooperation, C4ISRNET writes, and this too represents no departure from the last three Administrations' desire for more coordination on cybersecurity between the public and private sectors.
The new Administration has also proposed a substantial economic stimulus package, the "American Rescue Plan," which Security Magazine says will contain some $10 billion in funding for cybersecurity and IT grants, programs, and projects.
We heard from McAfee’s Chief Public Policy Officer Tom Gann, who commended the new Administration's cybersecurity direction with respect to cyber policy:
“We applaud President Joe Biden for prioritizing cybersecurity and recognizing how critical it is to our national and economic security. As SolarWinds has shown, our nation is still not where it needs to be in cyber preparedness. Much of this can be managed through simple cybersecurity hygiene, which, unfortunately, is still a challenge to many organizations and people across public and private sectors.
"But we also need something bolder, albeit more difficult: to change the security of the technology underlying many of our systems and networks. We need to develop an approach to a trust-oriented internet – and we as a nation need to invest in it quickly. These are the kinds of security conversations we should be having if we want to maintain leadership as a nation. We’ve been tinkering around the edges long enough.
"Right now, we have a once-in-a-generation chance to tackle something that will really make a difference: developing secure underlying technology for the systems we rely on every day. This is not something we could accomplish instantaneously; it would take years. With a new president who is committed to this strategic problem that transcends politics, as well as public-private sector partnership, we could lay the groundwork for something much needed and truly transformational. We have the opportunity for a new dawn in cybersecurity – let’s not waste it.”
And Ryan Gillis, vice president, Cybersecurity Strategy and Global Policy at Palo Alto Networks, likes the newly confirmed DNI:
"Avril Haines brings a deep understanding of critical cybersecurity challenges facing the Intelligence Community and our national security. With her confirmation as director of national intelligence, Palo Alto Networks looks forward to her leadership on cyber threat sharing, supply chain security and other crucial challenges our nation faces in the cyber realm."
And some possible policy holdovers from the Administration that just left office.
Early remarks by some of the new Administration's prospective senior officials suggest considerable continuity in US cybersecurity policy, but how far that continuity will extend remains of course to be seen. A promised flurry of Executive Orders has not so far extended to cybersecurity.
US President Trump on Tuesday issued an Executive Order outlining measures to control foreign malicious use of Infrastructure as a Service (IaaS) products. The EO, whose title is “Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities,” is designed, Reuters reports, to restrict transactions between cloud service providers and foreign customers likely to misuse such services for cyber attacks.
The Secretary of Commerce was given the leading role, directing the Secretary to “propose for notice and comment regulations that require United States IaaS providers to verify the identity of a foreign person that obtains an Account.” Commerce is expected to coordinate its work under the Executive Order with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence.
Then National Security Advisor Robert C. O’Brien explained the motivation for the order as follows:
“Foreign malicious cyber actors threaten our economy and national security through the theft of intellectual property and sensitive data, and by targeting United States critical infrastructure. By gaining access to United States IaaS products, foreign actors can steal the fruits of American innovation and prepare destructive attacks on our Nation’s critical infrastructure with anonymity. Malign actor abuse of United States IaaS products has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of United States firms FireEye and Solar Winds.”
Scythe characterizes the EO, in a generally favorable assessment of it, as more adapted to addressing intellectual property theft than more insidious cyberespionage incidents, better for protecting Hollywood against piracy than agencies from spies.
What the new Administration will do with the order isn’t known. Presidents may cancel predecessors’ Executive Orders, but they also may and often do keep them in force. President Trump’s eleventh hour EO, for example, cited in its first paragraph an Executive Order President Obama issued in 2015. Administrations change, but a lot of challenges endure. Prominent among those challenges, in cybersecurity at least, is the sort of threat on display in the Solorigate incident. They weren't, at any rate, immediately rescinded upon President Biden's assumption of office yesterday.
World Economic Forum issues its Annual Global Risk Report.
The World Economic Forum issued its Annual Global Risk Report this week. The report is both comprehensive and impressionistic, based as it is on the results of the Forum's annual Global Risks Perception Survey (more than six-hundred-fifty members of the WEF's "diverse leadership communities were respondents) and shaped by the views of the Forum's Global Advisory Board.
As it has in recent years, the WEF rates cyber risk as a serious problem for the global economy. "Cybersecurity failure" ranked fourth among the "clear and present dangers," that is, short-term risks expected to arrive within two years. "IT infrastructure breakdown" ranked second among "knock-on effects," or medium-term risks expected to become salient in three to five years. Other categories arguably related to cybersecurity appear among the "existential threats" expected within five to ten years; these include "Adverse tech advances," "Industry collapse," and "Backlash against science."
The report sees, in general, the effects of increasing digitalization as driving the direction of cyber risk. This is seen, generally, as a fracturing or centripetal force: there will be the few who make their gnostic ascent into cyberspace, and they will interact unhappily with the larger part of humanity that remains below. The executive summary expresses it like this:
"COVID-19 has accelerated the Fourth Industrial Revolution, expanding the digitalization of human interaction, e-commerce, online education and remote work. These shifts will transform society long after the pandemic and promise huge benefits—the ability to telework and rapid vaccine development are two examples—but they also risk exacerbating and creating inequalities. Respondents to the GRPS rated “digital inequality” as a critical short-term threat. A widening digital gap can worsen societal fractures and undermine prospects for an inclusive recovery. Progress towards digital inclusivity is threatened by growing digital dependency, rapidly accelerating automation, information suppression and manipulation, gaps in technology regulation and gaps in technology skills and capabilities."
We received some reactions from industry to the Global Risk Report. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, commented:
"As our world becomes increasingly intertwined with network connected devices and services the threat of significant disruption due to cyber-attack grows ever more substantial. Cybercrime remains a lucrative business. Criminal gangs extort millions of dollars from their victims and in addition to funding lavish lifestyles for the members provide ample budget for developing powerful hacking tools and purchasing zero-day exploits. Against such sophisticated threats the vast majority of defenders don’t stand a chance. It’s often shocking to the security professionals tasked with protecting and organization and its data just how easy it is to bypass or defeat security controls like anti-virus or how fast attackers can crack passwords.
"Beyond business disruption these attacks will increasingly affect the health and safety of people- we’ve already witnessed the death of a woman in Germany in 2020 directly attributed to a ransomware attack on a healthcare provider."
Javvad Malik, Security Awareness Advocate at KnowBe4, had these observations:
"As technology has engulfed every aspect of life and society, it is no surprise that cybersecurity failure is viewed as a clear and present danger. Given the trends of recent years, breaches have shown no signs of slowing down. In fact, the impact of breaches have risen, not just in terms of financial cost, but impacting individuals privacy and livelihood.
"It's also good to see digital inequality captured as a risk. It can be easy to overlook digital inequality. But without the latest devices or fast internet connectivity, many people are left behind in terms of cyber security as well as learning opportunities.
"Collectively, it is important that a culture of cybersecurity is embedded globally from manufacturers, to designers, to resellers, implementers, and users. Cyber security should not be for the privileged few, and neither should it require so much user interaction that it becomes overlooked. Only then will we begin to see changes which are needed to address some of these most pressing issues."