By Dr. Andreas Kuehn and Bruce McConnell
The Biden-Harris Administration’s $1.9 trillion American Rescue Plan, the legislative emergency package designed to combat COVID-19 through vaccinations, economic relief, and community support, also earmarks $10 billion to modernize and secure federal information technology (IT) infrastructure. Recognizing that along with the pandemic came a cybersecurity crisis, the stimulus package identifies four distinct lines of urgent and important actions to strengthen U.S. digital infrastructures and cybersecurity capabilities: $9 billion to launch shared IT and cybersecurity services at the federal level; $200 million to hire hundreds of cybersecurity technology and engineering experts; $300 million to build shared services for enabling transformational projects; and $690 million to improve security monitoring and incident response.
Federal Cybersecurity Priorities
Beyond much needed financial resources, the U.S. federal government needs to consider actionable plans and measurable objectives. The tax dollars will not only help to overcome COVID-19-related cybersecurity concerns but allow the U.S. to exit the crisis with a stronger cybersecurity foundation in place. Four aspects are critical: strengthened resilience, better public-private coordination, a talented workforce, and international cooperation.
First, cybersecurity must shift towards response and resilience. Nationwide responses in the aftermath of large-scale cyber incidents will help contain damage. Resilience-oriented design and operations requirements ensure that systems bounce back quickly and continue to operate rather than fail. Second, seamless private-public sector coordination—especially along supply chains—remains critical to align cyber defense capacities and roles. Third, a priority should be the creation of a diverse cybersecurity workforce equipped with the technical, legal, and policy skills to effectively navigate and ensure a modern, secure IT infrastructure in federal, state, local, and tribal governments. The creation of talent exchange mechanisms allows private sector expertise to be brought into federal departments and agencies and strengthens professional public-private relations and trust. Finally, none of this can be done without strong international cooperation, recognizing that cyber attacks and incidents have zero respect for national boundaries. Partners at the White House, the Departments of State, Homeland Security, Defense, and Commerce as well as their counterparts in state and local governments, the private sector and the ICT industry have critical roles to play to ensure that the economic relief dollars are spent effectively on cybersecurity.
Getting Worse, Not Better
While these investments are necessary, they are not sufficient to address the growing cybersecurity challenges the U.S. government is facing. Despite numerous modernization efforts and operational reorganizations, the cybersecurity problem is getting worse rather than better. Scores of audit reports by government watchdogs including the U.S. Government Accountability Office (GAO) illustrate the many cybersecurity shortcomings in federal departments and agencies. While the digital transformation to modernize, streamline and simplify government IT operations is well underway, for example with the move to the cloud, this will not necessarily result in better cybersecurity. On the one hand, increasing interconnectivity and building out digital services bring economic and efficiency gains by deploying cutting edge technologies at scale. On the other hand, the competitive edge from digital technologies also increases the attack surface and introduces new vulnerabilities. Cybersecurity investments are the price to pay to operate in this new digital world and are justified as long as the benefits outweigh the cost.
In many ways, ICT in the U.S. government and in the larger U.S. economy have provided an important layer of resilience during the global COVID-19 pandemic. Without modern information and communication technology, the impact would have been significantly more severe. Remote work, online grocery shopping, telehealth, and even scientific cooperation and vaccine discovery, aided by artificial intelligence and data science, would hardly have been possible. While investments in IT modernization and cybersecurity increased resilience and enabled a platform to rethink how to operate in modern society in an unprecedent way, this work has in some ways come at the expense of cybersecurity. Once again, the IT industry faces the increased cost of ensuring security after the fact, rather than building it in by design.
Better Cyber Statecraft Needed
Last year’s SolarWinds cyber incident – when U.S. government data was breached, likely by foreign-backed hackers – was not the first time that a software update mechanism has been compromised and repurposed to distribute malicious code. Nor was the systemic nature of SolarWinds unique; one can go back to Stuxnet or Heartbleed, for example, to find exploitable security vulnerabilities globally distributed across multiple critical systems. What is new today is the universal dependence of digitally advanced societies on ICT and the extent of interconnectedness. Indeed, no matter how much is invested, these large, complex systems will always remain vulnerable one way or another by their very interconnectedness. In this situation, costs for operating securely to the degree possible will continue to increase, and the American Rescue Plan provides a down payment, at best, to help the federal government catch up to what will become an essential operational cost in the post-pandemic world.
Cybersecurity is not solely a technical or domestic matter. Statecraft in and concerning cyberspace through international cooperation, cyber diplomacy, sanctions, and coordinated public attribution are complementary to domestic measures and key for a stronger U.S. cybersecurity posture. The now-reversed U.S. retreats from the Paris climate agreement and the UN World Health Organization were universally debated, whereas the relative decline of U.S. leadership on international cybersecurity cooperation and cyberspace norms setting within the United Nations and other global and regional security institutions have received far less public attention. The previous administration’s countless missed opportunities to admonish malicious state actors for their cyber incursions and disinformation campaigns has emboldened bad behavior in cyberspace. Conversely, the U.S. cyber strategy of defend forward and persistent engagement continues to raise eyebrows and concerns, even among close security partners and friends. Steps already underway to fill new positions at the White House, the State Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) will be key to reestablishing trust in the U.S. as a responsible international cyber partner.
Dr. Andreas Kuehn is a senior fellow at ORF America’s Cyber Cooperation Initiative. Bruce W. McConnell is a distinguished fellow at ORF America’s Cyber Cooperation Initiative and former Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security