When Joe Biden took office, he already had a laundry list of cybersecurity issues to address.
Just a month before, private companies and government officials had discovered that Russia had spent more than a year conducting one of the most effective cyberespionage campaigns against the U.S. in history by hacking the small software company SolarWinds of Austin, Texas, and using its products to gain access to nine federal agencies and hundreds of companies.
Soon after, Chinese spies began exploiting a devastating software flaw in Microsoft’s Exchange email server program, which mysteriously and quickly fell into the hands of scores of criminal hackers who started using it to attack organizations around the world.
And while ransomware was a rapidly escalating problem before Biden took office, it became undeniable last year. Hackers, often operating with seeming impunity within Russia, extorted U.S. hospitals and schools, a major oil pipeline company and the country’s largest beef distributor.
A year later, experts say, the Biden administration has done a decent job with cybersecurity policy, filling crucial roles and hardening the country’s infrastructure cybersecurity. But they also warn that ransomware hackers will likely continue to target Americans, and that Congress hasn’t helped the country’s security as much as it could.
“Overall, I give them very high marks,” said Michael Daniel, who served as President Barack Obama’s chief cybersecurity adviser and is currently the head of the Cyber Threat Alliance, a cybersecurity industry trade association. “They assembled a real A-team, and they did so at the very top.”
A hallmark of Biden’s cybersecurity efforts is a sweeping executive order, issued in May, removing some roadblocks that private companies can face in sharing information with the government, and demanding better security standards from software companies that sell to federal agencies.
Trey Herr, the head of the Cyber Statecraft Initiative at the Atlantic Council, a Washington think tank, said the executive order was useful, but created some of its own problems.
“The May EO was sort of the best and worst of times,” he said. “It was ambitious. It was unusually technical. It called out some important areas that hadn’t seen attention in a while like software security and supply chain security. And it made an effort to identify both who would develop policy and who would take action as a result of it, rather than just chucking lots of reports into the air.”
“The problem I think is that first, it was incredibly aggressive in its timelines. It threw an incredible amount of work at NIST. Second, is it didn’t really anchor who would be accountable for these outcomes,” he said, referring to the National Institute of Standards and Technology.
The White House followed up that executive order with emergency cybersecurity regulations, issued by the Transportation Security Administration, for the pipeline industry and then rail and aviation sectors to bolster their defenses.
Anne Neuberger, whom Biden appointed as the National Security Council’s cyber lead, said that was the result of the White House pulling out all the stops to quickly demand more cybersecurity from U.S. critical infrastructure operators without waiting for Congress.
“We really scrubbed all U.S. government authorities and identified that TSA had emergency authorities, in the aftermath of Colonial Pipeline, to set those cybersecurity standards,” she said in a phone interview.
In June, thanks to an act of Congress, Biden appointed Chris Inglis as the first White House national cyber director, a position designed to coordinate various agencies’ at times conflicting goals with cybersecurity. That has led to some confusion and perceived turf wars with the National Security Council, which in the past has held that responsibility, though Neuberger downplays the idea they’re in conflict.
“Chris and I discussed it, and first, there’s enough work for everyone,” she said. “We work very closely together. We meet regularly.”
A requirement for critical infrastructure operators to disclose to the federal government when they’ve been hacked, long a priority for cybersecurity hawks and a goal of the White House, failed in the Senate in December, however.
Ransomware, though, is still a major challenge. The White House has implemented a number of tactics to try to reduce it, including coordinating with countries such as Poland, South Korea and Ukraine to arrest and at times extradite alleged hackers and sanctioning the cryptocurrency companies that allegedly launder the money extorted.
Still, ransomware hackers were roughly as prolific in 2021 as they were in the previous two years, according to an annual survey from the cybersecurity company Emsisoft.
It wasn’t until last week that Russia finally took the step of publicly arresting members of REvil, one of the most notorious ransomware gangs, a move the White House framed as a win.
At least some ransomware hackers have been rattled by the arrests, said Dmitri Alperovitch, the chair of the Silverado Policy Accelerator, a think tank for government technology policy
“It is absolutely reverberating through the e-crime ecosystem, and I think at least in the short term will likely result in a slowdown of attacks,” he said.
The timing of the shift is notable, Alperovitch added. The fact that the Kremlin waited until last week to take action signals that Russia is only willing to cooperate with the U.S. on ransomware as long as the countries aren’t openly clashing on Ukraine, he said. Biden has predicted Russia will invade Ukraine.
“Why did the Russians do this and why did they do this now?” Alperovitch said. “It sends a signal in my mind that this is ransomware diplomacy, that they’re going to be willing to cooperate with us on ransomware but not at the expense of more sanctions.”
“Overall, I’m not hopeful,” he said. “I think the relationship with Russia is completely broken.”
Lauren Zabierek, the executive director of the Cyber Project at Harvard’s Belfer Center, said Biden has made cybersecurity strategy a priority, but there’s far more work to be done.
“What strikes me is he cares very much about this and I think it’s very important to him, so I think he’s put a lot of effort into various things to strengthen cybersecurity,” she said.
“Hopefully this puts us on a path to greater resilience, but I think it’s a very long road,” Zabierek said.