Biden’s latest cybersecurity initiative: Good ideas that still need good execution

When it comes to online security in all its many forms, the Biden administration seems to have its priorities in the right place.

Its fact sheet on an initiative announced last month titled “Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity” focuses on critical infrastructure, ransomware, using the purchasing power of government to improve software security, international cooperation, building a cyber workforce with better cyber education, and labeling of Internet of Things (IoT) devices to demonstrate a level of security.

These, it says, are part of a “comprehensive approach to ‘lock our digital doors’ and take aggressive action to strengthen and safeguard our nation’s cybersecurity.”

All good. It’s unlikely any cybersecurity expert would disagree with those goals. But the title is more aspiration than reality, since “delivers” implies that all these initiatives are up and running. At best, determining how to deliver on them is still in process. Actually delivering them is much more difficult.

Parade of presidential policy

Indeed, a parade of presidents going back to Bill Clinton have issued ambitious executive orders (EOs) or policy initiatives on cybersecurity, and none has transformed the online world.

Clinton proposed a National Plan for Information Systems Protection in 2000, labeled “the first-ever national strategy for protecting the nation’s computer networks from deliberate attacks.”

President George W. Bush released the National Strategy to Secure Cyberspace in 2003, with a goal of launching a “coordinated and focused effort from our entire society — the federal government, state and local government, the private sector, and the American people,” to reduce the nation’s vulnerability to cyber threats.

President Obama issued more than one. In February 2013 it was an EO about better security of critical infrastructure. Three years later he established the Commission on Enhancing National Cybersecurity.

And President Trump’s National Security Telecommunications Advisory Committee drafted a “Cybersecurity Moonshot,”echoing President John F. Kennedy’s 1961 challenge to put a man on the moon before the end of that decade. It was presented as a “whole-of-nation” effort to “make the Internet safe and secure for the functioning of Government and critical services for the American people by 2028.”

Added to those are dozens of private, public/private, and government agency standards and/or best practices that prescribe, many in exhaustive detail, how to make connected devices, networks, and systems more secure.

Many of those initiatives have indeed improved internet security for government, business, and individuals. Yet we’re not even close to really locking our digital doors.

The technology website Bleeping Computer never lacks material for its regular feature “The Week in Ransomware.”Within the last few weeks there has been a mad scramble to fix serious software vulnerabilities in the cryptographic library OpenSSL due to fears it could become the next Heartbleed. Browse any technology website and you will find dozens of headlines every day about successful attacks on healthcare, education, business, and the multiple sectors of critical infrastructure, or about cyber espionage from hostile nation states.

Many have tried …

So if Biden does manage to pull off even a majority of what is in this document, some of which was covered in his May 2021 Executive Order on Improving the Nation’s Cybersecurity, he will be the first president to do so. As noted, many have tried, with limited success.

Donald Davidson, director of cyber supply chain risk management programs with Synopsys, said presidential initiatives like these “start from a good place, but there is not a cohesive plan of action — just lots of piecemeal activity. Some of the good ideas have been implemented; other ideas have been ignored.”

He would know. Davidson previously worked for the Department of Defense, and he and his current Synopsys colleague, Emil Monette, who was then with the federal General Services Administration, were the primary “action officers” for material that became part of the 2013 Obama EO on critical infrastructure.

That EO, among other things, called for any software product acquired by the federal government to have a baseline level of cybersecurity built in, and for better cybersecurity training of the workforce. Nine years later those same recommendation are part of both the Biden EO and the recent cybersecurity initiative.

Still, this latest White House initiative seems to embody that old cliché that “if at first (or second, third, fourth… ) you don’t succeed, try, try again.” And Anita D’Amico, vice president of business development with the Synopsys Software Integrity Group, said while there is a bit of overlap between this initiative and the Biden EO, it’s not a rehash.

She said the Biden EO was focused largely on the sharing of cybersecurity information. “For example, service providers need to share cyber incident and threat info that could impact government networks, software suppliers need to publish a software Bill of Materials that describes the contents of the software package, and federal agencies should agree on a common set of definitions and playbooks for responding to cyber incidents,” she said.

The latest initiative, while it does include goals for information-sharing in areas like ransomware attacks and labeling IoT devices, is focused much more on critical infrastructure, which is largely owned and run by the private sector.

“It emphasizes the modernization and securing of our critical infrastructure including newer segments such as electric-vehicle stations and building the cyber workforce infrastructure,” D’Amico said.

Monette, now director of government contracts and value chain security with Synopsys, said even if the recent initiative does restate some of the president’s 2021 EO, “it keeps attention on the important issue of cyber. And while it doesn’t provide any details, having a strategy is the first part of developing the more tactical things — goals and initiatives that will effectuate the strategy.”

The White House fact sheet breaks out the initiative’s areas of focus. They include

• Improve existing critical infrastructure to include “multiple performance-based directives by the Transportation Security Administration to increase cybersecurity resilience for the pipeline and rail sectors [and] cybersecurity performance goals [for industrial control systems] that will provide a baseline to drive investment toward the most important security outcomes.”
• Ensure that new infrastructure is smart and secure through an expanded network of electric-vehicle charging stations, expanding high-speed internet, and a grant program for state, local, and territorial governments to “support efforts to address cyber risk to their information systems and critical infrastructure.”
• Strengthen federal government cybersecurity through its purchasing power. This item, also addressed in the president’s EO, would require measures liked multifactor authentication, zero-trust architecture implementation, and software security features.
• Counter ransomware attacks through cooperation with international allies.
• Work with allies and partners to make cyberspace more secure. This would include the establishment of “a new virtual rapid response mechanism at NATO to ensure allies can effectively and efficiently offer each other support in response to cyber incidents.”
• Impose costs on and strengthen our security against malicious actors. An example of this, according to the document, was the U.S. “work[ing] with allies and partners to attribute a destructive hack of the Viasat system at the beginning of Russia’s war in Ukraine.”
• Implement internationally accepted cyber norms, which the administration calls cyber “rules of the road.”
• Develop a cybersecurity labeling system for IoT devices. This was a major focus of the Biden EO, which it said would let consumers know “which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities. The goal is to start with “some of the most common, and often most at-risk, technologies — routers and home cameras.”
• Build a cyber workforce and strengthen cyber education in the U.S. This includes what the White House calls a 120-Day Cybersecurity Apprenticeship Sprint to help provide skills-based pathways into cyber jobs.
• Develop quantum-resistant encryption. “Advancements in quantum computing threaten that encryption,” according to the initiative, “so this summer the National Institute of Standards and Technology announced four new encryption algorithms that will become part of its post-quantum cryptographic standard, expected to be finalized in about two years.

That’s an ambitious list. And there is some skepticism that some of them that, even if implemented, will succeed. Monette notes that while the federal government does have considerable purchasing power, its leverage is not worldwide.

“The U.S. federal government’s purchasing power amounts to less than 0.01% of global ICT [information and communications technology] demand, so it is highly unlikely it will be able to aggregate enough demand to effectively move that global market one way or the other,” he said.

D’Amico believes it’s still worth doing, however. “People and governments can and do influence supplier behavior and the quality and safety of the goods they produce by exercising their purchasing power,” she said. “While that alone will not solve the cybersecurity problem, it can and should improve the situation.”

Or, as the Hacker News put it in a review of the fact sheet, “Will it be enough? Probably not, but some movement is better than no movement at all.”