The global supply chain attack on SolarWinds, which was uncovered by the American cybersecurity company FireEye in December 2020, and the attacks on Microsoft Exchange Server products, announced in March, are undeniably shaping the U.S. cyber policy landscape for 2021. As the investigations into these cyber incidents continue, we’re watching a number of key issues, including:
Threat intelligence sharing. In recent years, there have been periodic attempts to address gaps in cyber intelligence sharing between the private sector and government. While companies involved in the SolarWinds response agree on the need for information sharing mechanisms, and many shared information on an ad hoc basis during the immediate response, they offered different visions for what this could look like in practice during a series of congressional hearings in February 2021. Microsoft’s Brad Smith pushed for mandatory disclosure in ways that the industry has resisted in the past, whereas FireEye’s Kevin Mandia called for elevating the status of cybersecurity “first responders” in the private sector and protecting cyber threat intelligence as confidential information shared with the government.
National cyber resilience. In the absence of a clear legislative response to the SolarWinds incident and the Microsoft Exchange Server hack, we may see the Cyberspace Solarium Commission’s March 2020 report resurface as a way to facilitate action, including on strengthening cyber resilience. The report, which draws from more than 300 interviews, offers a new cyber strategy and more than 80 policy recommendations. The CSC also used the report to draft more than 50 legislative proposals that could support the implementation process.
Cyber diplomacy. We also expect the Biden administration will return to international cyber diplomacy, engaging in multilateral discussions about cyber norms and behaviors that should be offlimits for all actors. As noted in its Interim National Security Strategic Guidance document, the Biden administration will explore proportional responses to cyberattacks through “cyber and noncyber means,” which could include offensive cyber capabilities as well as more traditional tools like economic sanctions.
The Biden administration is likely to use momentum around the SolarWinds and Microsoft hacks to address a wider set of cybersecurity issues, including some that have the potential to cause even more harm to companies and consumers. For example:
Ransomware and extortion. Until SolarWinds, cyber incidents involving ransom and extortion were the leading cyber threats of 2020. Addressing the dangers posed by ransomware attacks, which have surged during the pandemic, is a pressing priority. Agencies like the Federal Bureau of Investigation, the Department of Justice, the Department of Homeland Security, and the Treasury Department issued ransomware advisories during 2020, but looking ahead, we may see more aggressive action on this issue and other tech policy agenda items from the Federal Trade Commission and the Consumer Financial Protection Bureau, particularly given the potential impact of cyber incidents on consumers.
Semiconductor shortages. The global shortage of semiconductor chips, which was accelerated by supply chain disruptions during the pandemic, is another pressing issue given their broad use across sectors. In the U.S., this challenge falls at the intersection of national security and economic security—and the broader conversation about tech relations with China. Although the Biden administration and members of Congress have expressed their intention to make federal investments in U.S. semiconductor manufacturing a priority, building out this capacity will be time- and resource-intensive.
Disinformation and hybrid threats. Conspiracies surrounding the 2020 presidential election and violent events at the U.S. Capitol in January 2021 demonstrated how disinformation and other hybrid threats like deep fakes are destabilizing public trust and national security. While these issues intersect with several others on the tech policy agenda, including Section 230 and content moderation, they have generated more political division than unity in recent years. These issues also have geopolitical ramifications, potentially intensifying adversarial relationships with Russia, China, and Iran while drawing out regulatory tensions with the EU.
The Biden administration has an opportunity to distinguish itself in these and other areas by turning near-term attention on cyber incidents into long-term relationship building with the wider cybersecurity and IT community. The administration will also need to assemble a strong interagency team to advance this work across government.
KEY PEOPLE TO WATCH:
Anne Neuberger was appointed to a newly created position in the National Security Council, Deputy National Security Advisor for Cyber and Emerging Technology. She comes to the White House with a background working at the National Security Agency where she served as Director of Cybersecurity and Assistant Deputy Director of NSA’s Operations Directorate, among other roles.
Rob Silvers is reportedly under consideration to serve as director of the Cybersecurity and Infrastructure Security Agency— a role that was previously held by Chris Krebs. Silvers worked at DHS during the Obama administration and would come to CISA with broad cyber policy experience.
Senator Angus King (I-ME) serves as co-chair of the Cyberspace Solarium Commission along with Representative Mike Gallagher (R-WI). The policy recommendations set out in their March 2020 report may gain renewed attention as Congress and federal agencies learn more about the full extent of the SolarWinds intrusion and the Microsoft Exchange Server compromise.
Senator Mark Warner (D-VA) co-founded the bipartisan Senate Cybersecurity Caucus and chairs the Senate Intelligence Committee. Warner is a former entrepreneur and has been a longtime leader on a range of tech policy issues, including cyber policy.
Representative Jim Langevin (D-RI) chairs the House Armed Services Committee’s Cybersecurity Subcommittee, which was recently established with a focus on cybersecurity operations, information systems, and emerging tech.