Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger touted the Biden administration's infrastructure proposal and cybersecurity executive orders at the RSA Conference Tuesday as unprecedented for any presidency.
"This administration is committed to changing the calculus [of breaches], and the president has elevated cybersecurity in a way that no other has," she said.
The Biden administration is tackling cybersecurity on a number of fronts, Neuberger detailed, many of which either involve industry or could impact how security is managed across sectors. A broad executive order last week seeks to leverage federal purchasing to influence industry trends, revamping basic cybersecurity practices in government agencies and pursuing labeling standards to promote IoT security. In April, Biden signed an order targeting electric utility and grid cybersecurity, expected to be the first of several orders to better address risks tied to integrated computer systems, or ICS.
Biden's Jobs Plan included substantial research and development funding for technology projects, including post-quantum encryption, noted Neuberger in her remarks, as well as funding to create a domestic microchip fabrication industry. And several coordinated efforts from the State Department, Cybersecurity and Infrastructure Security Agency, and law enforcement have also chipped away at the issue. These include globally coordinated efforts to fight ransomware and state-sponsored hacking campaigns.
The goal, said Neuberger is to create a national culture of preparation for the future, rather than waiting for attacks to occur.
"While we must acknowledge breaches will happen and prepare for that, we simply cannot let waiting for the next shoe to drop be the status quo under which we operate," she said. The national security implications of doing so are too grave."
The effort to be more proactive starts with the federal government, said Neuberger, pointing to an effort to modernize internal cybersecurity defenses.
"Following SolarWinds incident response we were confronted by the hard truth that some of the most basic cybersecurity prevention measures weren't systemically rolled out across federal agencies," she said.
The cybersecurity executive order promoted the federal use of zero trust, multifactor identification, testing and endpoint detection and response. It also added basic security standards to software purchased by the government, which Neuberger said would likely improve security across industries as vendors incorporate those best practices across customer sets.
But ultimately the administration's hopes to create a marketplace of security by design that doesn't shift purely based upon the government power of the purse.
"For those of you already following these practices, thank you. And thank you for your leadership. Thank you for investing in security at the beginning of the process, and by extension, investing in national security. And thank you for setting the tone for the community by leading by example," Neuberger said. "You deserve recognition for your commitment to security, and you deserve more than that. You deserve credit in the marketplace. But today, that's hard."
The reason that's hard, she continued, is because neither government nor consumers have visibility into what software is developed securely, and what's not. "So while visibility and accountability are key drivers of software security, we are literally unable to factor them economically into our buying decisions."
The cybersecurity executive order included directives to develop optional security rating labeling for internet-of-things devices, akin to the health department grades that restaurants display. It would provide consumers, and the government, the ability to compare security between products.
Neuberger ended her talk with a call for industry to help in advancing cybersecurity for the good of the country.
"Bolstering the nation's cybersecurity, safeguarding our critical infrastructure and renewing America's advantages broadly are fundamental to the Biden administration's commitment to our national security strategy," she said. "Continued partnership with you, the private sector is critical to achieving these objectives."