February 10, 2021

What’s to Come for Cybersecurity in the Biden Era Recent developments offer early answers to what the Biden administration’s cybersecurity policy will look like (while, at the same time, raising important questions).

By Alexander H. Southwell and Daniel Rauch Last month, in response to the SolarWinds hack, then-President- elect offered a simple message: “We will respond and probably respond in kind.” For campaign observers, such tough talk might be unsurprising; Biden ran, after all, on a platform of “deter[ring] cyber threats” and “demand[ing] … countries cease and desist from conducting cyberespionage.” In its first weeks, the adminis- tration has matched strong words with strong actions: elevating vet- eran cybersecurity leaders, calling for vast digital defense investments and laying the groundwork for Signage outside SolarWinds Corp. headquarters in Austin, Texas. Photo: Bronte Wittpenn/Bloomberg renewed cooperation with allies abroad and the private sector at center. For national cyber director, cyber and emerging technology (a home. Together, these develop- a new role established by the 2021 newly created role meant to elevate ments offer early answers to what National Defense Authorization the subject internally and coordi- the Biden administration’s cyberse- Act, the president has tapped Jen nate cybersecurity efforts across the curity policy will look like (while, Easterly, a former National Security government). at the same time, raising important Agency official who helped cre- And they aren’t alone. Vice questions). ate U.S. Cyber Command. The President and Strong Leaders and a Deep National Security Council will Health and Human Services Bench include at least five experienced Secretary nominee With its first hires, the Biden cybersecurity officials, including each served as Attorney administration has made clear that Anne Neuberger, who will serve as General, and each made cyberse- cybersecurity will be front and deputy national security adviser for curity and data privacy priorities the national law journal February 10, 2021 in that role. , now private sector, as a key part of its eration, diplomacy and “passive” director of national intelligence, cybersecurity approach. Early signs defenses. has extensive cybersecurity experi- include a thaw with European • What role will the pri- ence. And Biden’s pick to lead the Union officials, who view the Biden vate sector play? As former Department of Homeland Security, administration as more recep- DHS cybersecurity official Mark , was previ- tive to cybersecurity cooperation, Weatherford recently observed, ously deputy DHS secretary, with the appointment of officials with “20 years ago, dealing with for- a portfolio including addressing cyber-diplomacy experience (like eign nation attacks were the diverse cyber threats and negotiat- Mayorkas), and a renewed focus sole responsibility of the federal ing a key cybersecurity agreement on working with the private sector. government,” but today, private with China. companies are prime targets of What’s Next? “Surging” Resources well-resourced, state-sponsored Even as the administration’s attacks. In this context, a key The president’s spending priori- opening moves have answered question is whether, and to ties have also reflected his pledge some questions, they raise others: what extent, the Biden admin- to make cybersecurity a “top pri- • Will cooperation prevail? istration’s early promises of pri- ority.” In his American Rescue One of Biden’s core messages, vate-sector cooperation will be Plan stimulus proposal, Biden in the campaign and after, has realized. If they are, the private asks Congress for $10 billion for been a plea for bipartisan unity. sector may have opportunities “the most ambitious effort ever to Cybersecurity policy could be a big for unprecedented government modernize and secure federal IT part of this vision, as cross-party funding, expertise and opera- and networks.” The centerpiece of cooperation has historically been tional support. At the same time, this effort is a $9-billion request possible on a variety of cyber- we expect increased regulatory for IT and cybersecurity shared security issues. Alternatively, it scrutiny of companies’ cyberse- services at the General Services is also possible that cybersecu- curity posture, as well as privacy Administration and Cybersecurity rity, like many other issues, may practices, particularly those com- and Infrastructure Security cause continued fractures, espe- panies contracting with the gov- Agency. The plan also calls for cially if the focus shifts from ernment and in the information $690 billion for “cybersecurity areas of consensus and toward technology supply chain. Such a across federal civilian networks”; controversial issues like Section rise of intense regulatory scrutiny $300 million for GSA Technology 230 immunity. might prove to be at odds with Transformation Services programs; • How far “forward” will governmental cooperation, and and $200 million to “surge cyberse- cyber defenses lean? In recent companies will have to navigate curity technology and engineering years, as crystallized in a 2018 that tension, even as they devote expert hiring.” This commitment Department of Defense Cyber more resources and attention to is impressive in both absolute and Strategy document, America’s cybersecurity defenses. relative terms. For instance, the approach to cybersecurity has And of course, given the fluid, plan requests $10 billion for pan- leaned toward “defend forward” ever-changing nature of the threat, demic supply manufacturing and (i.e., the best cyber defense is one it may well be an “unknown $20 billion for a national vaccine that addresses threats as close unknown”—dangers we did not distribution program—comparable as possible to their source), and know we did not know—that comes sums. This sends a powerful signal: “persistent engagement” (i.e., to define the next four years. The even in a pandemic, technological favor proactive, offensive actions early answers are now clear. The security may be as important as to take the initiative). It is pos- questions are just getting started. medical security. sible Biden may double down on Alexander H. Southwell co-chairs Building Bridges this offense-minded approach. Gibson, Dunn & Crutcher’s privacy, Along with surging personnel Yet this posture is not without cybersecurity and consumer protection and money, this administration controversy, and in time, we may practice group and is a former federal seems likely to look to cooperation, see a less hawkish strategy, with cyber-crimes prosecutor. Former associ- both with other nations and the emphasis shifting toward coop- ate Daniel Rauch is a Denver lawyer.

Reprinted with permission from the February 10, 2021 edition of THE NATIONAL LAW JOURNAL © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-256-2472, [email protected] or visit www.almreprints.com. # NLJ-02102021-478069