Over the past four years, there has been a lack of a consistent focus on cyber security and a lack of coordination between the different agencies in the US dealing with cyber security, not dissimilar to those that led to the forming of the National Cyber Security Centre (NCSC) in the UK, combining departments in GCHQ with others such as CPNI into a single organisation.
The incoming Biden administration is clearly putting a stronger emphasis on cyber security and strengthening coordination between US cyber security bodies in the same way.
This is evidenced by a number of appointments, including the recently created post of national cyber director (with a staff of 75) as principle adviser to the president. This post is expected to be filled by Jen Easterly, currently with Morgan Stanley, but formerly of the US National Security Agency (NSA). Also, Anne Neuberger, former head of the NSA’s Cybersecurity Directorate, has been chosen to fill the new post of deputy national security adviser for cyber and emerging technology.
Posts at the National Security Council and Department of Homeland Security and others have also been announced. Together, this will create the largest and probably most qualified team a US president has ever assembled to address cyber security.
The new president has also signalled a willingness for a renewed international collaboration on cyber security. Over the past four years, the relationship between the UK and the US has seemed turbulent, characterised by the different approaches to 5G, for example.
However, much of this has been at the political level and driven by US trade policies and the management of high-risk telecoms suppliers. Despite this, it is clear from the number of joint announcements calling out attack groups, such as the Chinese group APT10 in December 2018, the Turla Group in October 2019 and Russian ‘Cosy Bear’ attacks on vaccine developments in July 2020, that there is an ongoing relationship at the working level that can only be strengthened by the change in outlook from the US.
It has also been suggested that there will be a 25% year-on-year increase in federal cyber security budgets in 2021 and a $9bn injection into US IT infrastructure This increased spending will likely be in shoring up the federal government’s cyber defences in the light of the SolarWinds breach and protecting future elections and US democracy. Most likely spend will therefore be in the areas of threat detection, cloud security, privileged access management, zero-trust and endpoint security.
A role for the UK, if the government is willing
While the renewed cooperation and increased funding should be good news to UK cyber companies which can help fill some of the gaps, it is difficult for non-US companies to compete for US federal government projects unless they have a foothold in the US, and even more difficult when it comes to cyber security.
Therefore, while the UK is probably in the best position to do this, support from the UK government in the form of trade missions and lobbying will probably be needed.
Another area where the UK is leading is in the field of standards and regulation. The Telecoms Security Bill, resulting from the issues around 5G and high-risk suppliers, is significant in that it identifies specific security requirements for telecoms suppliers wishing to sell in the UK.
Also, the Department for Culture, Media and Sport (DCMS) is developing legislation to remove basic vulnerabilities from connected consumer devices such as security cameras, routers and the ever-increasing number of connected domestic appliances by introducing measures including banning the use of universal default passwords and requiring suppliers to provide clarity on how long the devices will be supported with security updates.
This is an area where the US could benefit from the UK approach, and US adoption would provide UK companies with a wider market for compliant products while others are catching up.
President Biden is clearly prioritising cyber security and is primed to increase spending in this area. There are likely to be opportunities for UK companies, but this will need early action and probably some level of government support.