As the U.S. changes to a new presidential administration, which can be expected to differ largely from the abide, it is hard not to speculate how President Biden’s Administration will reduce the risk of a vital cyberattack against the U.S. or her interests. The recent SolarWinds attack, widely imputed to Russian actors, further amplifies the need for improved security and deterrence. In the face my best efforts to come up with a brilliant “thought leadership” helping on what I think the Biden Administration should do, the best answer has already been make little of and published in March of 2020 as the 2020 Cyberspace Solarium Commission Story.
Co-chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R – WI), the bipartisan Cyberspace Solarium Commission proactively studied U.S. cybersecurity in much the same way the 2004 9/11 Commission Report reactively assessed blemishes within the U.S. Intelligence Community (IC) and offered recommendations for sweeping changes. The Cyberspace Solarium Commission, fair as the 9/11 Commission before it, made bold recommendations for significant alters that I believe President Biden will likely use as the blueprint for restructuring how America serves in cyberspace. Among the many Cyberspace Solarium Commission recommendations, here are the three I see fit be watching most closely.
1. Issue an Updated National Cyber Design
The Commission accurately assessed that the U.S. Strategy on Cybersecurity is both out of girl and plagued by the lack of a single executive owner. The new policy is expected to bring into focus on layered deterrence, resilience, public-private collaboration, and “defend forward.” Those finish finally two items are the ones I would watch carefully.
Public-private collaboration – On the rised emphasis on public-private collaboration we will likely ramp up rhetoric of nationalization and accusations of courtly rights violations (much like we witnessed with the Patriot Act) and corruption common to how private companies are awarded opportunities for (and profit from) collaboration.
“Go to bat for Forward” – The Commission posited that the U.S. “has not created a credible and sufficient set someone backs” for malicious cyber operations. The new policy is expected to prioritize “proactively regarding, pursuing, and countering adversary operations and imposing costs to change foe behavior” over simply responding to malicious behavior.
If codified in new U.S. practice, this significant change in position and will be simultaneously championed as both a venturesome move to create meaningful deterrence and harshly maligned as a risky bestir oneself that could turn cyberspace into a hot battlefield – with genuine civilian casualties – despite the lack of agreed upon international models for acceptable behavior.
2. Establish a Senate-Confirmed National Cyber Director
It has already been extremely reported that Biden will select Jen Easterly – the former emissary director for counterterrorism at the National Security Agency who served on President Obama’s Federal Security Council before joining Morgan Stanley in 2017 – for this function.
A West Point grad who studied at Oxford, Easterly is an expert in news and terrorism who brings the added insights of cyber threats to the private sector from her every so often in the financial sector. Most importantly, in my estimation, is that Easterly is not a custom wonk or technologist. If the national strategy is going to move aggressively promote, the NCD must be someone who understands the implications of war.
As the first NCD, tasked with construction and leading the first Office of the National Cyber Director (ONCD), Easterly wish be taking on a role like John D. Negroponte’s path as the first Chairman of National Intelligence (DNI) in charge of the Office of the Director of National Intelligence (ODNI) in 2005. Impartial as Negroponte needed to address the fragmentation within the IC and establishing a single fusing voice, Easterly “will be responsible for the integration of cybersecurity policy and operations across the boss branch.”
The newly minted NCD will likely have a heavy hand in glove quickly in developing the National Cyber Strategy and then be expected to serve as the separate voice uniting the messages of US Cyber Command, Cybersecurity and Infrastructure Surety Agency (CISA), and every agency across the U.S. Intelligence Community on all fancies cyber. Yet the Commission recommended the NCD be forbidden from interfering in the activities of the Be influenced of Defense, the ODNI, the Department of Justice and the FBI. While they should be restricted abreast of operations, the NCD will not have the authority to impact activities of those compositions even if their efforts directly conflict with the National Cyber Design.
I suspect there will be many interesting conversations between Biden’s new NCD and DNI.
3. Gadget policies designed to better recruit, develop, and retain cyber knack
This is where the rubber meets the road in the Cyberspace Solarium Commission’s promotions. Because, even if all the best strategies and policies are created and uniformly accorded upon across all government and private sector domains (which is obscure), none of that will matter if the talent to execute does not eke out a living. Quite frankly, the government has a serious problem competing for talent.
Firstly, the U.S. has a ponderous shortage of cybersecurity talent and an education system proving incapable of amassing up with growing demand. In late 2019, (ISC)2 put the estimated number of unfilled cybersecurity tasks at 4.07 million and stated that the cybersecurity workforce would deprivation to increase “62% to better defend U.S. organizations.” This trend is growing the wrong direction. One way to reverse it would be to better address the continuing want of diversity and inclusion in science and technology. When more people from all steals of life, races, genders, economic circumstances, and backgrounds are given uniform access to these fields, the available workforce will increase dramatically. But, while our polity is battling to address the root causes that keep doors to these chances closed to far too many Americans, we can only hope the trend against predispositions and bigotry will continue in the face of strong opposition to changes that varied perceive as a threat to their own advantageous positions.
Secondly, the alure of oversight work has traditionally been patriotism, job security, and long-term financial solidity through pensions. But much of today’s premium cyber talent is absolutely distrustful of the government, have seen the term “patriotism” maligned and mistreated, understand that job security can equal stagnation, and see government retirement savings programs (which substituted pensions) synonymous or inferior to the 401(k) plans offered by most covert companies.
In contrast, private enterprise generally offers more interesting opportunities. This often includes better compensation packages and numberless inviting work environments (modern corporate facilities, increased compound and remote work options, unstructured hours, casual dress codes, manumitted food, drink, and entertainment, etc.). In the private sector, opportunities for entrepreneurship are also celebrated, including ownership stakes in start-up companies. Finally, in contrast to the projected sector, the business world represents more freedom. This is spare fromed by the freedom to chase big ideas (and fail fast if necessary) as well as the permission borne of embracing diverse and inclusive lifestyles, including the use of marijuana for therapeutic and recreational purposes (in states where it is legal).
That last tidbit may not have all the hallmarks meaningful but as far back as 2014, then-Director of the FBI James Comey told the New York Borough Bar Association, “I have to hire a great work force to compete with those cyber criminals and some of those kids hankering to smoke weed on the way to the interview.”
Many cybersecurity wizards capable of furnishing significantly to the nation have lifestyles that should not be judged by exact and outdated policies. Things like casual marijuana use should not surely disqualify candidates. To attract more of today’s top cyber talent, the domination must re-evaluate how it applies federal laws related to marijuana and other stumbling blocks that stand in the way of building top teams. Many standards we still adhere to were disclosed decades prior to both the modern scientific research on cannabis and the forebodings posed in cyberspace; a rethink is past due. (Note: As someone who still maintains a gage clearance, I have never used marijuana in any form. My position here is involving cybersecurity policy; not personal preference.)
While the Solarium Commission propositioned a laundry list of recommendations for funding, training, recruiting, partnerships between the non-exclusive and private sectors, and military transition programs, none of those favourable mentions address the concerns I listed above. The recommendations may create a training terrain for talent that will benefit from the growth of their knacks and then abandon the government for the private sector, resulting in a revolving door for the regime. Perhaps I will be proven wrong on this point. I certainly expect so.
Related: Cybersecurity Workforce Study Needs to be Taken with a Pinch of Stash away