Cybersecurity doesn’t win votes, but it saves lives
Times are tough for Americans right now. The immediacy of the chaos and costs introduced by COVID-19, the economic recession, and the election have dominated headlines and political agendas, so it’s understandable that candidates placed cybersecurity on the backburner. That inattention, though, only exacerbated the likelihood that the United States would be subject to an inevitable cyberattack. Days removed from an attack on multiple federal agencies suspected to have originated from Russian intelligence services, the shortfalls of the U.S. government’s approach to cybersecurity are even more glaring.
There is no shortage of actors – both nation states and non-state organizations – that would love nothing more than to kick the U.S. while it is down and distracted with vaccine distribution, a limping economy, and a controversial transition of presidential power. That’s exactly why the Biden administration needs to prioritize cyber policy by reviving stalled attempts to coordinate the government’s approach to cybersecurity and by finetuning what is considered critical infrastructure.
As recently as 2018, the Director of National Intelligence listed cybersecurity as the top threat to national security. Yet, the topic received little to no attention during the presidential campaign. Election interference was regularly discussed, but those conversations failed to thoroughly examine the nation’s readiness for growing cyber threats. With cyber on the electoral sidelines, the issue never became a priority for either candidate. To this day, cyber continues to be a second tier policy issue. Case in point: cyber policy is not mentioned as a priority on the Biden-Harris transition website(nor is national security, for what it’s worth).
The Biden transition team would be wise to reassess its approach to cyber. Consider a report from Lloyd’s and the University of Cambridge that revealed the likely costs of an eminently feasible cyberattack. In their analysis, a hypothetical cyberattack knocking out just 50 generators along the Acela Corridor could result in 93 million people losing power and the economy taking a $1 trillion hit. It would be easy to dismiss this report as an insurer crying cyber wolf, but recent events and experiments show that these sorts of attacks require our immediate attention and investment. Our would-be attackers have already evidenced an ability to undermine critical infrastructure. Russia caused a blackout in Ukraine, and Iran managed to hack into a dam in New York State. Our government has long been aware of these vulnerabilities. U.S.-run exercises have demonstrated the ease with which a generator can be completely disabled.
Our cyber readiness could be drastically improved by heeding the advice of thought leaders like Paul Rosenzweig, senior editor of the Journal of National Security Law and Policy. According to Rosenzweig, there are two issues with our government’s approach to cybersecurity: first, inadequate structures for policy creation and coordination and, second, an absence of methods for auditing and reforming those policies. It follows that the Biden-Harris administration could make substantive improvements to our cybersecurity efforts merely by restructuring our current organizational approach to cybersecurity. The Cyberspace Solarium Commission has already compiled a list of organizational changes and policy recommendations to improve America’s cyber stance. The new administration should make a serious effort to try and implement these changes.
The appointment of a national cyber director would be a good place to start. President Trump scrapped the position, but a bipartisan group of legislators is ready to restore it. The position was included in the National Defense Authorization Act (NDAA) that Congress recently passed and the President vetoed. President-elect Biden can score an early bipartisan win by heeding the wishes of these legislators, and some D.C. insiders speculate that he will, according to reporting from The Washington Post. Doing so would improve our cybersecurity, so long as the director is given the authority necessary to remedy the issues flagged by Rosenzweig. Assuming Congress overcomes the veto, the next director needs to have the ability to set comprehensive policies and direct the nation’s coterie of agencies involved in cybersecurity.
Finally, President-elect Biden should take a page out of his former boss’s playbook and enlarge our definition of critical infrastructure (CI) to reflect modern vulnerabilities. After the 2016 election revealed Russian interference, President Obama named America’s election systems part of our critical infrastructure list. In doing so, the President made these systems subject to heightened cybersecurity requirements as well as protection from the government. After a campaign that included hacks of major social media sites, President-elect Biden should require large media organizations to adhere to the same standards by issuing an executive order or presidential policy directive that adds those entities to the list of CIs. By regarding social media companies as CI, they would also receive expedited federal assistance in the event of an attack.
Cybersecurity does not receive the attention it deserves until a hack hits the headlines as it did last week. Politically, that makes sense. After all, I have yet to meet an issue voter that makes decisions based on cybersecurity stances. From a national security standpoint though, inadequate attention to our critical infrastructure is a problem worth spending political capital on to correct.
Many folks have reflected on the fragility of our democracy. If cybersecurity is not a priority for the next administration, that fragility will only increase. Right now, the extent of the intrusion into the federal system is unclear—that lack of clarity will make it easier for conspiracy theories to thrive and doubts of government security to spread. To calm these fears, the government must be transparent with the public when it comes to our cyber vulnerabilities as well as the proactive measures being taken to protect government systems.
Kevin Frazier is a born and raised Oregonian. He is pursuing an MPA at HKS and a JD at the UC Berkeley School of Law. In his spare time, he runs The Oregon Way blog and covers the nexus of technology and good governance. You can follow him on Twitter @KevinTFrazier
Article photo credit: Nahel Abdul Hadi via Unsplash.