Cybersecurity

Biden takes quick action on cyber in first 100 days

President Biden and his administration hit the ground running on securing federal networks and critical infrastructure during his first 100 days in office, taking quick action after years of what some officials viewed as national security setbacks in U.S. cyber policy.

Those actions were fast-tracked in large part by a series of massive cyber intrusions into federal and private networks by foreign hackers. Biden came under pressure pretty much from day one to take a stand against adversaries and revitalize national cyber efforts through levying sanctions and issuing executive orders.

“The first 100 days for the Biden administration demonstrate that they take cybersecurity seriously,” said Michael Daniel, the White House cybersecurity coordinator under former President Obama who’s now head of the Cyber Threat Alliance.

The furious pace of executive actions, combined with securing significant funding from Congress for cyber defenses, stands in contrast to Biden’s predecessor, who often downplayed cyber threats.

“President Biden and his administration are off to a strong start,” House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) said in a statement provided to The Hill on Wednesday, adding that they “will have done more to move the ball forward on cybersecurity in four months than President Trump did in four years.”

Biden’s actions have also elicited supportive remarks from some Republicans, with House Homeland Security Committee ranking member John Katko (R-N.Y.) saying he was “encouraged” by Biden’s moves on cybersecurity in the first 100 days.

While Biden had made clear on the campaign trail he would push back against foreign hackers, he was forced to confront cyber threats on his first day in office. 

Biden was sworn in a month after the discovery of what’s become known as the SolarWinds hack, in which Russian hackers compromised nine federal agencies and at least 100 private sector groups.

And just as the administration began wrapping up its investigation, Microsoft announced in March that at least one Chinese state-sponsored group had infiltrated vulnerabilities in its Exchange Server program, potentially compromising thousands of organizations. 

In response, Biden has taken a variety of actions aimed at strengthening federal cybersecurity, including sanctioning Russia earlier this month for its involvement in the SolarWinds hack and for interfering in U.S. elections.

“They did both of these things, and I told them we would respond, and we have,” Biden said during his first address to a joint session of Congress on Wednesday evening. 

The administration also set up coordination groups consisting of multiple federal agencies to respond to and investigate both the SolarWinds and Microsoft incidents, and officials announced in February that Biden intended to sign an executive order that would strengthen federal cybersecurity in wake of both attacks.

He has yet to sign that order.

But since that announcement, Biden signed one that aims to secure critical supply chains, including those for semiconductors. The administration also embarked on a 100-day plan for securing the electric grid against cyber threats.

The administration’s cybersecurity investigations into SolarWinds and early steps to increase federal cybersecurity were led in large part by Anne Neuberger, who was appointed deputy national security adviser for cyber and emerging technology by Biden in January. 

Since then he has nominated former National Security Agency Deputy Director Chris Inglis to serve as national cyber director and Jen Easterly as director of the Cybersecurity and Infrastructure Security Agency (CISA).

“I would encourage legislators that unless they see some egregious reason not to approve, to move very swiftly and very quickly” on those nominations, said Theresa Payton, White House chief information officer during the George W. Bush administration who’s now CEO of the cybersecurity consultancy group Fortalice.

“These leadership roles need to be in place sooner rather than later. I have been impressed with all of the names he has put forward,” she added.

Biden’s moves on cybersecurity are a notable shift from former President Trump, whose administration decided to eliminate the former White House cybersecurity position, merge the State Department’s cyber office with another bureau, and push out the senior leadership of CISA after the 2020 elections.

That left the Trump administration without key federal cybersecurity leaders in place leading up to Biden’s inauguration.

While Biden is generally acknowledged to have made a good start in prioritizing cybersecurity, officials note there is still more that needs to be done.

Rep. Jim Langevin (D-R.I.), chairman of the House Armed Services Committee’s cyber panel, said he is pushing for more cybersecurity funding.

“We need dedicated funding to secure our digital infrastructure against further intrusion,” Langevin said in a statement to The Hill. “I will continue to strongly advocate for a $400 million increase in CISA’s budget and make sure that the President’s bold infrastructure plans contain equally bold plans for securing Americans in cyberspace.”

Katko also stressed the need for “sustained” CISA funding. The agency received $650 million as part of the $1.9 trillion American Rescue Plan Act signed into law last month. 

“I would like to see President Biden commit to putting CISA on a pathway to be a $5 billion agency in the coming years,” Katko said. “This will also require appropriately elevating the agency in interagency decisionmaking to ensure the federal government can be better prepared to compete – and win – in cyberspace.”

Cybersecurity experts see more room for improvement on other critical infrastructure areas.

Payton pointed to concerns that the administration had not put enough attention into protecting other areas beyond the electric grid, with Biden’s infrastructure proposal excluding language on cyber threats.

“I give them an A on the 100-day plan to address the electric system cybersecurity risks, but I give them a B on critical infrastructure because there is not enough clarity,” Payton said.

Daniel acknowledged that while more could be done, the administration had made great strides in its efforts to protect the nation against escalating cyber threats. 

“Of course, the Biden administration still faces serious cybersecurity threats,” Daniel said. “However, the administration’s performance in the first 100 days has been very good and they should be able to build on this success.”