Why Biden Might Follow Trump’s Lead on Cybersecurity Policy

On many issues—climate change, immigration, relations with Iran—the incoming Biden administration is expected to reverse President Trump’s policies. 

On cybersecurity, not so much.

In interviews with The Record, and at a series of online events this week, cybersecurity experts and potential Biden appointees offered their thoughts about the cybersecurity policy priorities of the president-elect and his team. More or less unanimously, they predicted the new administration, in its efforts to protect U.S. computer networks, would seek to build on the progress made primarily by officials at the Department of Homeland Security, rather than attempt a clean policy break. 

On military issues there was less unanimity, with some flagging Trump administration offensive cyber operations as potentially lawless.

The role played by the DHS’s Cybersecurity and Infrastructure Security Agency, or CISA, “in successfully securing the 2020 election has given a tremendous boost to the credibility and authority of the whole department," said Tom Warrick, a former senior homeland security official who heads the Future of DHS project at the Atlantic Council.

It “showed CISA could get down in the trenches with state and local officials, and bring in the cyber heavy hitters” from federal agencies like the FBI and the NSA to back them up, Warrick told The Record. “The Biden administration should build on that credibility,” he said. 

Although CISA director Chris Krebs was fired last month for rejecting Trump’s baseless claims of widespread voter fraud, experts said that the agency could be strengthened by the Biden administration. CISA’s success in leading what Washington insiders call “The interagency”—the often fractious process by which federal agencies coordinate their activities towards a common goal—needs to be institutionalized, said Alex Stamos, former security chief at Facebook who currently leads the Stanford Internet Observatory. 

“The first goal for the administration needs to be to get to the same level where we were on the election and to make that permanent,” Stamos said Tuesday at the Aspen Cyber Summit. 

Because cybersecurity issues so often cut across departmental responsibilities, and implicate activities of military units and intelligence agencies as well, those policy questions often end up in the interagency—which can amount to bureaucratic quicksand, cybersecurity experts said. 

Stamos praised DHS’ interagency election security “work that went into public and private partnerships, as well as collaboration within the government, between the offensive, the intelligence, and the defensive sides of cyber.” 

The same whole-of-government approach would be needed to wage a looming information war as the new administration seeks to manage a massive vaccination campaign. That will likely be ground zero in a new disinformation assault, Stamos warned.

Institutionalizing that interagency effort on cybersecurity requires strategic leadership—such as from a post inside the White House—added Mark Montgomery, a retired admiral and executive director of the bipartisan Cyber Solarium Commission. President Trump effectively abolished the White House Cyber Coordinator job in 2018, but the commission—a congressionally chartered blue ribbon panel—recommended in its report earlier this year that a more powerful White House post be created: The National Cyber Director.

That position needs to be “empowered to build the relationships across the government ahead of any cyber event, so that you can plan, so that we have an effective, timely, efficient incident response,” Montgomery told The Record.

And the Biden administration may get a big leg up from the outgoing Congress, Montgomery said, because the annual defense policy law, the National Defense Authorization Act will likely include provisions creating a National Cyber Director’s post. “We’ll see the language within 48 hours, I expect,” he said Wednesday, 

President Trump has threatened to veto the NDAA, over an unrelated dispute about the liability of technology platforms for content their users publish.

Montgomery, whose commission has highlighted the rare role that cybersecurity plays as a nonpartisan issue in a bitterly divided Congress, urged the new president’s team to build on “the good work done by the Trump administration and the Congress over the last three years” streamlining authorities for U.S. Cyber Command.

“We have a much more agile and speedy process for the execution of offensive cyber operations,” Montgomery said, “And I hope that the Biden administration takes advantage of the effort and the risk taken by the Trump administration establishing that,” he said.

But others see these new authorities—granted in a still classified presidential order—as potentially lawless. “It's really important for the Biden administration to get in there and figure out what authorities were... granted to Cyber Command,” Mieke Eoyang, senior vice president at  the Third Way think tank, said at an event hosted by the Institute for Security and Technology event.

Eoyang pointed out that Cyber Command operations, except those directed against ISIS or other terror groups, weren’t authorized by the Congressional measures that provide the legal framework for the war against terror. “I think that there are some serious questions there about whether or not those [operations] have been authorized,” she said, noting that Congress, not the executive branch, has the power to declare war and authorize the military to act extraterritorially.

The key test of the priority the Biden administration puts on cybersecurity will be the resources it allocates, said Warrick, noting Trump’s budget proposal for fiscal year 2021 had slashed CISA spending by just over$250 million. In fiscal year 2020, the enacted budget for the agency was just over $2 billion.

“Doubling the budget is the right order of magnitude,” said Warrrick, especially when you consider that physical infrastructure protection will also need to be boosted to build resilience to the growing frequency and severity of extreme weather events owing to climate change.