A new cyber strategy is quietly emerging from the Biden administration. At its heart is an optimistic, progressive vision of the internet that had been at risk of being overshadowed by digital threats. It is a welcome return to the technological confidence and liberal values of the internet’s early days, tempered by the experience of cybercrime and cyberwar.
At the end of April, the White House announced a “Declaration for the Future of the Internet”—a statement, endorsed by more than sixty countries, that “reaffirms and recommits its partners to a single global Internet.” The vision is for “an open, free, global, interoperable, reliable and secure Internet” in contrast to the rising tides of “digital authoritarianism.”
Of course, the declaration leaves plenty of questions unanswered. How does the United States balance its commitments to privacy and human rights with its laissez-faire policies towards Big Tech, not to mention its own capacious surveillance operations? Without minimizing these concerns, a firm commitment by the United States and its partners to be on the right side of the digital divide between democracies and autocracies is the right place to begin.
By contrast, the previous administration sought to “preserve peace through strength” by lifting limits on offensive operations, ostensibly to deter adversaries. Whatever the value of offensive cyber operations, putting the emphasis on military domination of cyberspace sends the wrong message, and did nothing to prevent a series of increasingly serious cyberattacks affected major companies and government agencies that began in early 2020.
If the goal of President Donald Trump’s strategy was to scare the Russians and the Chinese, it didn’t work. The reality is that deterrence isn’t particularly helpful without a firm view of what behavior the United States is trying to deter—an issue on which there has been plenty of confusion among presidents of both parties.
According to former White House Cybersecurity Coordinator Michael Daniel, President Barack Obama had chosen not to retaliate against previous cyber intrusions by Russia’s SVR intelligence service because it saw them as traditional espionage. As the world’s most proficient and prolific practitioner of digital spying for foreign intelligence purposes, the United States has an interest in keeping international norms for such activities relatively unconstrained—undermining the effectiveness of any deterrence-based strategy.
The scale and variety of the attacks in President Joe Biden’s first year demonstrate the limits of any strategy focused on affecting the behavior of a varied group of adversaries, including state and non-state hacking groups with divergent motives and weaknesses. A better strategy is to be clear about what we are for—while getting our own house in order.
Last year, Biden issued an executive order requiring federal agencies to use a Zero Trust Architecture (ZTA) model for security, which is an approach that acknowledges the reality that security threats exist both inside and outside traditional network boundaries. Adopting a “zero trust” model for federal government cybersecurity should accelerate this move across industry; it is the most promising development in cybersecurity in years.
To coordinate the broader vision for cyber policy, the United States has a new official – the National Cyber Director, created by Congress in January 2021. Creating the National Cyber Director was a key recommendation of a bipartisan commission established in 2019. The director’s responsibilities include review of agency budgets, setting broad policy, and managing partnerships with industry and key allies. Last July, the Senate confirmed Chris Inglis, a former NSA official, to fill this new role.
In October, Inglis issued a Strategic Intent Statement to lay out his priorities for the Office of National Cyber Director. Notably, the statement took a step back from viewing cybersecurity exclusively “in negative terms.” “Digital connectivity is not some occasionally-destructive force of nature to be dispassionately tracked and mitigated, but a transformational tool to be wielded in furtherance of our highest ambitions.” The goal is “an open, interoperable, secure and reliable internet.”
The goals of the National Cyber Director’s Strategic Intent Statement align with the Declaration for the Future of the Internet. They have long been U.S. policy; it is refreshing to see them restated.
At the outset of Russia’s war against Ukraine, Biden was faced with questions about how he would respond to possible Russian cyberattacks. Instead of offering overblown rhetoric about offensive operations, he emphasized the need to secure our own networks. “For months,” he said, “we have been working closely with the private sector to harden their cyber defenses.” So far, this strategy is working.
In all of this, we can see the emerging Biden vision for cybersecurity: one that eschews illusions of dominating cyberspace through a grand strategy of offensive operations in favor of reaffirming our basic values and taking practical steps to secure our digital lives.
Timothy H. Edgar is a senior fellow at the Watson Institute at Brown University, teaches in its cybersecurity master’s program and is a lecturer at Harvard Law School. He served in the White House National Security Staff under President Barack Obama and is the author of Beyond Snowden: Privacy, Mass Surveillance and the Struggle to Reform the NSA.