With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. This is the fourth in that series.
Like coronavirus, the election is a big story that permeates all other big stories. If there is a regulatory or legislative solution to any problem raised in 2020, it will be up to the government of 2021 to achieve.
As we wrote in October, a Joe Biden administration would bring with it a boatload of potential changes. Experts describe President Donald Trump’s approach to China, a leading force in hacking for industrial espionage and a consistent complication in supply chain security, as transactional and impulsive; Biden, they hope, would be more strategic. Vice President Elect Kamala Harris’s role as a California attorney general, focusing on privacy issues, places her in a unique position to usher in a federal privacy law. And optimism remains as evergreen as it has the last three administrations that the next administration will be the one to pass a comprehensive technology policy.
But while all of that is speculative, a few aspects of how the government may handle interactions with the private sector on information security have begun to crystalize.
From silos to collaboration?
If confirmed as secretary, for example, Alejandro Mayorkas will be the first person known for his work on federal cybersecurity policy to head the Department of Homeland Security. Mayorkas was a critical figure in creating the differentiation of powers in cybersecurity among federal agencies as a deputy secretary of DHS during the Obama administration.
More on point for chief information security officers and the security operations center, Mayorkas was a massive proponent of threat information sharing between federal agencies, federal and private sector entities, and even between international allies.
That means Mayorkas could be a potential advocate to address many of the ways information sharing falls short.
“As we look to the next four years, we need more cross sector and cross government communication,” said Kiersten Todt, managing director of the Cyber Readiness Institute, which champions small and medium sized business cybersecurity. “My sense is that Mayorkas understands this.”
There has been longstanding consternation in the private sector over the quality of data that comes from federal threat information spigots. It is an issue DHS is keenly aware of; an inspector general’s report earlier this year called for improvements to the automated intelligence system (AIS) due to low usership.
“We’ve always struggled with the private sector saying they give more information to the government than the government gives back,” said Todt.
The problem goes deep, with many CISOs expressing feelings that the current AIS is a waste of their time, a low signal-to-noise system where data has been sanitized of most of its usefulness before the government spits it back.
Many CISOs find the data that comes out of AIS hard to apply to any specific setting.
“Sharing indicators of compromise is not good enough,” said Greg Touhill, former federal CISO and current president of Appgate Federal Group. “We need to share timely information and need to share context. It’s really important to say, ‘This is what we think they’re after.’”
The U.S. intelligence community is not currently configured to emphasize threat sharing with the private sector. This a key point in a recent blog post from Microsoft president Brad Smith about the potential policy responses to prevent the next SolarWinds fiasco. If the intelligence community found out through covert means that Russia was intending to capitalize upon supply chain attacks, there is a reasonable chance that information might not be shared with the tech companies who make up the supply chains.
Smith compares this to 9/11, where intelligence silos prevented critical information from traversing agencies in a way that could have prevented the attacks. But a better comparison might be the 2016 election, where the federal government had fully developed an information sharing plan with states. Russia breached several states during the election. By 2020, DHS had a plan in place.
“The after-action report about SolarWinds is going to be fascinating,” said Todt. “We’ll see if there was a disconnect between intelligence and industry.”
Intelligence sharing is not necessarily only an issue for the DHS to address. The National Defense Authorization Act for 2021 provides for a new White House position of national cybersecurity director to help coordinate national cybersecurity strategy. The position is a product of the Cybersecurity Solarium Commission, a working group that included legislative and executive branch personnel and private sector representatives. Many are hoping the national cybersecurity director will also improve coordination with critical private sector entities.
“Hopefully, the right person in that job moves the government culturally toward sharing information with critical private infrastructure,” said Rep. Mike Gallagher, R-Wisc., who served on the Cybersecurity Solarium Commission.
Other ideas in the NDAA that came out of the Commission included extending capabilities of Cybersecurity and Infrastructure Security Agency (CISA) for the protection of government networks. Combined, the director and strengthened federal defense would prevent a future SolarWinds from going unnoticed.
“The fact that FireEye, a private sector group, alerted us to the breach and public sector did not notice is a black eye on the public sector,” said Gallagher. “In a perfect universe, it’s the government who notifies the companies.”
The primary purpose of the national cybersecurity director would be to make sure the government’s total cybersecurity strategy is coherent across agencies. That, too, has an impact on the private sector, providing a final word when, say, Department of Commerce priorities conflict with those of the Department of Defense. That authoritative check, what the Solarium Commission has colorfully referred to as a “single throat to throttle when things go wrong,” does not currently exist.
“When the kids are fighting, you want someone to say ‘knock that crap out,’” said Touhill.
What will stay the same
How information flows between the government and private sector is a key opportunity for improvement. But there are also opportunities to expand information sharing across industries as well. Todt sees this as a potential job for CISA, which despite a rocky ending to 2020, had been a major success story since its inception in 2018.
CISA, under former director Christopher Krebs, built a reputation for industry collaboration it carries into 2021, despite President Trump firing Krebs after CISA would not back unfounded claims about election tampering. Like most agencies, the ongoing mission will not change even with changes to the top.
It’s unlikely, for example, that a Department of Justice strategy to confront Chinese activity will change under Biden; it’s a strategy whose origins come from the Clinton administration, and whose recent prosecutions were the culmination of work performed under several attorneys general.
But a volatile China situation that entangles cybersecurity with trade, supply chains, relationships with allies and human rights concerns, still appears likely to many experts to force a confrontation.
“China’s continued behaviors are going to force governments and private companies to make increasingly tough decisions,” said Jonathan Reiber, former chief strategy officer for cyber policy at the Department of Defense and current senior director for cybersecurity strategy and policy at AttackIQ.
A change in government isn’t just limited to the executive branch. Rep. Will Hurd, R-Texas, is retiring this year, which will deprive Congress of one of its most active cybersecurity voices. Hurd was an advocate for issues that are important, but too drab to get on Congress’s radar, like upgrading federal technology and reworking international export agreements on the export of cybersecurity products.
2021, just like any other year, will be as defined by the drab policies the government will bore itself with as the exciting emerging threats.
“Is it exciting? No,” said Touhill. “But neither is wearing a mask or washing your hands.”