As the election drama comes to a close, cybersecurity wonks are beginning to grapple with the implications of the transition from a Trump to a Biden administration. While the government continues to make progress in the space, not many would make the argument that the Trump administration was strong or visionary on this critical topic. As a result, there is an opportunity for the incoming Biden administration to improve national cyber security and tackle several outstanding cybersecurity topics. Within the first two years, the new administration should focus on the following five actions:
- Create the Office of the National Cyber Director
- Grow the cyber workforce
- Define a 21st century competition strategy with China
- Create the Bureau of Cyber Statistics (BCS)
- Liberate the Cybersecurity and Infrastructure Security Agency (CISA)
As the country continues to adapt to remote work and Americans spend more time online, cybersecurity has become a critically important issue, particularly as it intersects with the economy, health care systems, educational institutions and other parts of our critical infrastructure. Making progress on cybersecurity early will establish a foundation for much needed progress in an area which has desperately needed leadership and vision for the last decade, if not more.
1. Create the Office of the National Cyber Director
The Biden administration should push for and support the creation of the Office of the National Cyber Director (NCD) within the White House. The NCD would act as the President’s principal advisor on cybersecurity, craft national strategy for cybersecurity, oversee and coordinate federal government activities to defend against adversary cyber operations inside the United States and certify agency budgets. The Cyberspace Solarium Commission (CSC) made this recommendation and expended significant effort crafting legislative text and advocating for the NCD with Congress. But with the NCD currently in conference on the Hill, its fate is unknown. If the NCD passes, the Biden administration should prioritize filling this role with the strongest candidate at the same speed as other critical roles in the Cabinet. If it does not pass, the White House should establish this position of their own volition through executive action. As CSC Co-Chairman and Rep. Mike Gallagher (R-Wis.) said at the Hack the Capitol 3.0  event in September: “We thought it was the least bureaucratic approach out there. I think building another separate cyber agency…is both politically impossible and more bureaucratic while the most bureaucratic and costly option is doing nothing.” He continued, arguing that, “doing nothing will result in a massive cyber attack.”
2. Grow the cyber workforce
The Biden administration must deal with the massive cybersecurity workforce problem. The dearth of cyber talent at a time when cyber attacks increase every day should lead the government to embark on an ambitious hiring agenda. The market for cybersecurity talent is overwhelming, and the number of qualified applicants is low. Based on CyberSeek numbers, there are 525,000  vacancies in the United States, and for every vacancy there are only 1.8 qualified applicants. In fact, in the time between the publication of the CSC’s report and the publication of this article, the vacancies increased by 25,000 positions (and that during a global recession). It is a national security imperative for the U.S. government and private industry to address this challenge not as a side-hustle, but as a primary risk to the security of the nation. One place to start is to entice more women into the workforce. There are long standing roots of the need for women in the workforce, especially during times of heightened national security challenges. We need to recruit more women into the cybersecurity workforce to fill these vacancies and strengthen our defenses when we need it most .
3. Define a 21st century competition strategy with China
The new administration must define a 21st Century Competition Strategy with China to ensure we protect our borders and intellectual property; spur innovation; and do not become isolationist. Many issues require expertise from a variety of policy paradigms, which makes crafting policy strategies complex. This work requires a method for weighing policy priorities against one another to achieve the right results. The incoming administration must create a cohesive national strategy, balancing the considerations of both the American free market economy and national security. The blunt hammer of the Committee on Foreign Investment in the United States (CFIUS) opaque policy practices are not sufficient without a more robust framework for the balancing of security and the economy.
4. Create the Bureau of Cyber Statistics (BCS)
It is time to establish the Bureau of Cyber Statistics (BCS) to utilize data to make informed cybersecurity decisions. Many of today’s security and risk decisions are being made without adequate data, to the detriment of the security of the country. For example, right now, it is not even clear what percentage of our critical infrastructure is owned by the private sector. Further, there are virtually no industry-wide metrics to inform decisions and investments by owners, operators and policy makers. The CSC proposed  the BCS as “the government statistical agency that collects, processes, analyzes, and disseminates essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem” for all parties, public and private. R Street, for its part, is engaged in research and analysis of the structure and strategy for the BCS, and more focus in this area from the new administration would be greatly beneficial. After leadership and workforce, the BCS is the most critical step a Biden administration can take to help the cybersecurity community make facts-based arguments for stronger security across the board.
5. Liberate the Cybersecurity and Infrastructure Security Agency (CISA)
The administration should separate CISA from the Department of Homeland Security (DHS), and establish it as a distinct agency. While I break here from the recommendations of the CSC—which recommended that we strengthen CISA within its existing departmental structure—the difference here is a matter of degrees. The CSC debated the considerations on both sides and came down on the side of working within existing structures due to the challenges of establishing a new agency. However, the challenges of working within the DHS for the long-term far outweigh the benefits of the structure and process an existing agency provides. In the DHS, cybersecurity is not prioritized, instead it is overshadowed by the raging immigration wars and wall funding debates, which limits the resources that the CISA can request and receive through Congress. Moreover, the complicated funding streams from both the DHS and the Department of Defense (DOD) that fund the CISA create murky organizational accountability and lack, as Commissioner Senator Angus King likes to say : “one throat to choke.” Rather than being buried within a young bureaucratic organization like the DHS which does not appreciate and cannot enable the CISA’s mission, cybersecurity deserves a strong, independent agency to advocate for its critical segment of national security.
Leadership, people, and metrics may all seem like no brainers, but the path to implementation of practical solutions in cyber has been rocky at best. With these actionable solutions to challenging problems, perhaps now cybersecurity can get the focus, and the solutions, that it deserves.
Image credit: Ron Adar
- “Hack the Capitol 3.0”: https://www.wilsoncenter.org/blog-post/dont-stay-your-lane-how-cross-sector-collaboration-could-help-counter-risks-cyberspace
- “525,000”: https://www.cyberseek.org/heatmap.html
- “need it most”: https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf
- “CSC proposed”: https://www.solarium.gov/report
- “say”: https://www.king.senate.gov/newsroom/press-releases/king-seeks-accountability-for-safe-housing-for-servicemembers-and-families