The Cybersecurity 202: Cyber experts give Biden top marks at six months

with Aaron Schaffer

At his six-month mark in office, President Biden is making the right moves to ensure the United States is safer in cyberspace, according to an overwhelming majority of cybersecurity experts we polled.

Biden’s term has been marked by a string of cyber cataclysms starting with cleaning up the SolarWinds Russian espionage campaign, which was discovered soon before he took office and affected hundreds of major businesses and several federal agencies. More recently, the nation has been struck by significant ransomware attacks that have threatened U.S. gas and meat supplies and wreaked havoc on small businesses.

Biden has effectively managed the day-to-day crises while dealing with longer-range concerns such as getting top cyber officials in place and facing off with Russian President Vladimir Putin over hacking, according to 86 percent of The Cybersecurity 202 Network.

“It's hard to imagine an administration moving more aggressively [without being irresponsible] or putting more priority on cybersecurity issues,” said Chris Finan, a top White House cyber official during the Obama administration.

“[There’s] much more to be done, but the administration is off to a strong start in the face of escalating malicious cyber activity,” said Suzanne Spaulding, who led Department of Homeland Security cyber operations for President Barack Obama.

The network is a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey. (See the full list of experts here).

Experts praised Biden for taking an aggressive stand against Russian hacking.

He pressed Putin on Russia-based ransomware attacks during a summit in Geneva last month and pledged to impose serious consequences if Putin doesn’t crack down on the groups.

Biden’s tough stance with Putin is a “particularly welcome change,” said Chris Painter, who was the State Department’s top cyber diplomat under Obama. He acknowledged, however, that “holding Russia accountable will be a real test for this administration.”

“[Biden] has made clear to Russia’s president that some cyber actions cross a red line,” said Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center, managed by Mitre.

Experts contrasted Biden’s tough stance with former president Donald Trump, who was wary of challenging Putin.

“Could the administration be doing better than it is now? Yes,” said Herb Lin, a senior research scholar at Stanford University’s Center for International Security and Cooperation. “But it is doing much better than the previous administration was doing, especially with respect to Russia, where [Trump] was affirmatively downplaying and ignoring the Russian cyber threat.”

Former National Security Agency general counsel Glenn Gerstell also compared Biden favorably to Trump.

“Following an administration that demoted the role of cyber advisers in the White House and mostly ignored pleas from the private sector for more assistance, the Biden administration has made a series of exceptional, cyber-savvy appointments throughout the executive branch,” he said.

The survey was concluded before the White House publicly accused China’s government of hacking into Microsoft email servers and fostering close ties with criminal hackers.

Experts gave Biden strong marks on hiring.

His cyber team includes Chris Inglis, a former top NSA official who was recently confirmed as the nation’s first national cyber director, and Jen Easterly, another NSA veteran who is leading the Cybersecurity and Infrastructure Security Agency.

“President Biden has recruited very talented people to serve in senior administration positions,” said Michael Daniel, who led White House cyber operations under Obama. Daniel is now president of the Cyber Threat Alliance industry group.

Inglis’s position differs from Daniel’s because he will manage a far larger office and the post requires Senate confirmation.

“Staffing the key, most senior cybersecurity positions [with] qualified and respected leaders is certainly a step in the right direction,” said Deborah Plunkett, another former NSA official who runs Plunkett Associates, a cybersecurity consulting firm.

The hiring process has not been totally smooth, however. Easterly’s Senate confirmation was held up for weeks because Sen. Rick Scott (R-Fla.) placed a hold on top DHS nominees until Vice President Harris visited the U.S.-Mexico border.

“President Biden has been seriously hampered by the slow pace at which his top cybersecurity political appointees have been confirmed,” Betsy Cooper, director of the Tech Policy Hub at the Aspen Institute, said, adding that “devastating ransomware attacks are continuing apace, with or without political appointees in place.”

Even as they praised Biden, many experts warned there’s a lot more to be done – especially where Russia’s concerned.

“If Putin continues to turn a blind eye to these criminals, President Biden should use every tool at his disposal to put a stop to these devastating hacks,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, who has urged a far stronger set of sanctions against Russian businesses that support hacking.

“President Biden cannot slow down. He must put every nation-state and cyber-criminal group on notice that those responsible for cyberattacks will be held accountable through all levers of national power,” said Marcus Fowler, director of strategic threat at the Darktrace cybersecurity firm and a former CIA official.

Cyber could also be better integrated into the administration’s other priorities, such as by prioritizing cyber training in jobs and infrastructure efforts, said Megan Stifel, an Obama-era White House official who now works at the Global Cyber Alliance.

There were 14 percent of our experts who said Biden wasn’t making the right cyber moves.

Many of them said he simply hadn’t done enough on getting tough with Russia and prioritizing U.S. cyber defense.

“The administration’s current failure to actually get tough — in a public, substantive way — with the cyber attackers responsible for recent attacks on American and allied infrastructure and to extract costs from the nation-states that support them is limiting our nation’s ability to deter further acts,” said Jamil Jaffer, vice president for strategy and business development at IronNet Cybersecurity.

Jaffer urged punching back harder against those attacks and doing so publicly.

“To the extent we do actually respond, we must stop doing it behind closed doors,” he said.

“Widespread impactful attacks continue to happen to companies around the globe,” said Tony Cole, chief technology officer at Attivo Networks. “The United States government and its allies need to hit back against Russia with stiff sanctions to get Putin to sit up and notice.”

The network

More responses to our Network survey on President Biden’s first six months in office.

YES: “This administration remains a very visible presence in the extremely challenging arena of cybersecurity. But what we are facing is an exhaustion of our capacity, leaving us largely fighting fires instead of developing and executing on strategic plans.” — Dave Aitel, founder of Immunity Inc.
NO: “President Biden is incrementally adding to measures taken over the last three administrations. Those measures have failed and doing more of the same won't bring success.” — Stewart Baker, a partner at the Steptoe & Johnson law firm and former NSA general counsel
YES: “This administration is doing a fantastic job given the landscape and tech debt it inherited.” — Katie Moussouris, founder and CEO of Luta Security
NO: “The U.S. needs a Cabinet-level position for cybersecurity and we need it yesterday.” — Jake Williams, founder and president of Rendition Infosec
YES: “This administration isn't naive enough to think it can do it alone. Strengthening relationships with our allies and partners, while planning to impose costs on bad actors, is a solid start.” — Jeff Moss, founder and CEO of DEF CON Communications
NO: “The over-collection of people's data, misuse of data once collected, and the lack of meaningful accountability for those who have failed to secure these data are all core issues that Biden has yet to address.” — Sascha Meinrath, founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy at Penn State

The keys

WhatsApp’s CEO says government officials who are U.S. allies were targeted by NSO spyware.

The officials were targeted in a 2019 hack of WhatsApp using NSO’s spyware that is the subject of an ongoing lawsuit, WhatsApp head Will Cathcart told the Guardian’s Stephanie Kirchgaessner.

Cathcart said that Pegasus Project reporting by The Washington Post and 16 media partners “matches what we saw in the attack we defeated two years ago.” That includes the targeting of people “who had no business being spied on in any shape or form,” he said. The Pegasus Project found multiple instances in which NSO spyware was used to target journalists and human rights activists.

NSO Group said Cathcart was “deliberately mistaken and misleading,” and that “NSO is not privy to the data of its customers” and “has no access to their systems.”

Workers and consumers are suing Colonial Pipeline and other companies targeted by ransomware.

Scripps Health is another company facing lawsuits in the wake of ransomware hacks this year, Gerrit De Vynck reports. The potential for lawsuits will continue to rise alongside ransomware breaches because just one cybersecurity failure can result in a breach, Gerrit writes.

One big problem is that there aren’t clear guidelines for determining when companies have taken cybersecurity seriously enough to not face legal liability, said Daniel Solove, a professor at George Washington University Law School and the founder of cybersecurity and privacy training firm TeachPrivacy.

“It really isn’t clear what the standard of care is,” he said. “It’s tricky. All you have to do is fail on one thing.”

The NSA did not target cable news host Tucker Carlson for spying, an internal review found.

The spy agency also didn’t intercept his communications through “incidental collection,” a situation where an American citizen is in contact with a foreigner who’s the target of surveillance, the Record’s Martin Matishak reports, citing two people familiar with the matter.

Rather, the spy agency collected communications between two third parties who were discussing Carlson and his name was later “unmasked,” Martin reports.

Americans identified in surveillance are anonymous to protect their identities. However, U.S. government officials can request that their identities be revealed, or “unmasked," if there's a pressing reason, such as to better understand intelligence that isn't clear. The NSA conducted the review amid congressional pressure.

Carlson last month claimed that the NSA was “monitoring our electronic communications and is planning to leak them in an attempt to take this show off the air.” He later said the move appeared to be retaliation for seeking an interview with Russian President Vladimir Putin. Congressional Republicans seized on the issue, with House Minority Leader Kevin McCarthy (R-Calif.) tasking Rep. Devin Nunes of California, the top Republican on the House Intelligence Committee, with investigating the matter.

“For the NSA to unmask Tucker Carlson or any journalist attempting to secure a newsworthy interview is entirely unacceptable and raises serious questions about their activities as well as their original denial, which was wildly misleading,” a Fox News spokesperson said. The NSA declined to comment.

Chat room

DEF CON speakers and attendees split on the hacking conference’s decision to invite Homeland Security Secretary Alejandro Mayorkas to be a keynote speaker on Aug. 6. Some criticized inviting a government representative while ethical hackers are bound by laws they consider unnecessarily restrictive. Others saw it as an opportunity to talk about the relatively popular work of the Cybersecurity and Infrastructure Security Agency to make the government and key industries more resilient against hacking.

Twilio security architect Ian Coldwater:

As a main stage speaker this year I can't say I'm terribly excited to be sharing a stage with this man.

What were y'all thinking? I'm so disappointed in you
— Ian Coldwater 📦💥 (@IanColdwater) July 23, 2021

Shutterstock’s John Jackson:

That moment when DEFCON can keynote Feds but we can't even get revisions to a law created in 1986 to punish hackers. LMFAO, we are doing great work out here. Let's boost them up into our space when....*checks notes*...they spend their time bugging out about our legal hacks. https://t.co/wVWLEu3zvT
— John Jackson 桜の侍 (@johnjhacking) July 24, 2021

Google security executive Heather Adkins:

Unpopular opinion: It’s ok for @SecMayorkas’s to speak at DEFCON. He spoke in 2015 too, did shots, opposed backdoors, & said he learned a lot. He’s a Cuban refugee, implemented DACA, etc. He’s not responsible for Trump’s policies. Like it or not DHS has a role to play in infosec
— Heather Adkins - Ꜻ - r00t folding team #258829 (@argvee) July 25, 2021

Amélie E. Koran, the senior technology advocate at Splunk who was previously the chief technology officer at the Department of Health and Human Services' inspector general:

So... a few things about this keynote.
1) You have to understand scope - which is @CISAgov
2) We've had questionable govies before from other agencies including DoD & NSA
3) We have also had Fed panels before too, so not everybody is evil incarnate
— Amélie E. Koran (@webjedi) July 24, 2021

Industry report

Venture capital firm NightDragon has announced NightDragon Growth I, a $750 million fund to invest in late-stage and growth companies in cybersecurity and related industries.

China’s Huawei hires Democratic lobbyist Tony Podesta (Wall Street Journal)

Software company's unveiling of decryption key comes too late for many victims of ransomware attack (CNN)

Daybook

Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Homeland Security and Governmental Affairs Committee on Tuesday at 10 a.m.
Transportation Security Administration chief David Pekoske and deputy secretary of transportation Polly Trottenberg testify at a Senate Commerce Committee hearing on pipeline cybersecurity on Tuesday at 10 a.m.
The Senate Judiciary Committee holds a hearing on ransomware on Tuesday at 10 a.m.
A House Oversight and Reform Committee panel holds a hearing on electrical grid cybersecurity on Tuesday at 2 p.m.
Homeland Security and cybersecurity officials are set to speak on the second day of the Building Resilience Through Private-Public Partnerships Conference on Wednesday.
The House Armed Services Committee’s cybersecurity subcommittee discusses the annual defense authorization bill on Wednesday at 10 a.m.
The House Committee on House Administration holds a hearing on election subversion and integrity on Wednesday at noon.
Palo Alto Networks hosts an event on the Technology Modernization Fund on Wednesday at 2 p.m.
Mayorkas delivers his State of Homeland Security address on Thursday at 10 a.m.
A House Homeland Security Committee panel holds a hearing on the cybersecurity workforce on Thursday at 10 a.m.
Former CISA director Chris Krebs speaks at a Washington Post Live event on Thursday at 3:30 p.m.

Secure log off

“You made me cry… I love Ted Lasso!”

Jimmy declares his love for Jason Sudeikis as #TedLasso. #FallonTonight pic.twitter.com/Tffjzpns1T
— The Tonight Show (@FallonTonight) July 24, 2021