Last week a bipartisan group of US House of Representatives legislators introduced the National Cyber Director Act to create the position of a national cyber director within the White House. The creation of this role is one of the chief recommendations of an increasingly influential intergovernmental group known as the Cyberspace Solarium Commission.
The commission issued its report — the product of months-long deliberations by four members from congress, four senior executive agency leaders and six experts from outside of government – just as the coronavirus pandemic quarantine kicked in during March. Nevertheless, the commission’s 80 recommendations, such as creating a national cyber director, are quickly being translated into actionable legislation on Capitol Hill.
Two of the commission’s leaders, Cyberspace Solarium Chair Congressman Jim Langevin (D-RI) and Solarium Co-Chair Congressman Mike Gallagher (R-WI), introduced the bill. Other legislators backing the bill include House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), Ranking Member of the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure and Innovation John Katko (R-NY), former Ranking Member of the House Intelligence Committee C. A. Dutch Ruppersberger (D-MD), and Ranking Member of the House Intelligence Committee’s Subcommittee on Intelligence Modernization and Readiness Will Hurd (R-TX).
The creation of a top official responsible for cybersecurity in the White House is not a new idea. Howard Schmidt and Richard Clarke served as special cybersecurity advisers to the president in the George W. Bush White House. Schmidt and Michael Daniel both served as White House cybersecurity coordinator under President Obama. Rob Joyce served as cybersecurity coordinator under Donald Trump until he was pushed out by then-National Security Advisor John Bolton.
“Certainly, when Rob Joyce’s position was eliminated by John Bolton, I think that was a major step backward,” Representative Langevin tells CSO. “I think John Bolton sold the president a bill of goods by recommending that the cybersecurity advisor position be eliminated in the first place.” Langevin, Gallagher and the rest of the bill’s backers are looking to make the job a statutory one that will be much more difficult to eliminate in the future.
Cyber director has reach across government agencies
The job of the new director “would be as a coordinator with policy and budgetary authority in the same way the trade representative has full visibility into the programs in that portfolio,” Langevin says. “The national cyber coordinator would basically be the individual that would have that visibility and have that policy and budgetary authority to reach across government agencies and really have more of an ability to compel departments and agencies to disclose their cyber vulnerabilities, their gaps, their loopholes in the systems.”
The need for departments and agencies to coordinate is essential, Langevin says. “We’re learning that now in the time of COVID. The disjointed response from the White House: Who’s in charge? Where is the national leadership on this? It’s a mismatched, hodge-podge of a response.”
When it comes to cybersecurity, “We have a lack of systemic coordination, for example, between CISA, NSA, Cybercom [US Cyber Command], etc., and we need to coordinate across the government better than what we’re doing now,” Langevin says. “The coordinator position would ensure that we are not working at cross purposes.”
Data breach prevention a key goal
The idea behind all this coordination is to prevent the next Office of Personnel Management (OPM) hack from occurring. “That was a department that clearly did not appreciate or understand the importance or value of the data that they were charged with protecting,” according to Langevin. “It wasn’t encrypted, they had old IT and data systems, they had been told many times they need to upgrade the security in their systems, and they didn’t do it. So, you had one of the greatest intelligence coups perpetrated against the United States in probably several decades. We will likely still be feeling the impact of those vulnerabilities for decades to come.”
Given the years-long absence of cybersecurity expertise in the current White House, how far down in the hole would a national cyber director be if a new administration takes over next year? Not as far down as some critics of the current administration suggest, Langevin indicates.
“If it’s a new administration, they are going to have their work cut out for them to put things back the way they existed before,” he says. “I would say both CISA and Cybercom continue to make progress even without leadership in the White House, but we need to make sure people aren’t acting in silos.”
Johnathan Reiber, senior director for cybersecurity strategy and policy at cybersecurity company AttackIQ, agrees. “I think that Cyber Command and CISA are headed by two exceptionally talented people,” Reiber, who served in senior positions in the Department of Defense and the Obama administration, tells CSO. “The people that I know in government are very, very good. I have tremendous faith in their leadership and their intellectual capacity and their management skills.”
In terms of the proposed national cyber director role, “What’s important is that this person can engage across agencies in a way that gives them gravitas for requiring that agencies do certain things,” Reiber says. “You need someone who could speak with authority to the president, who can run the policy process authoritatively and who can engage the public. It helps to have someone senior in the role who can speak with authority across all those three things.”
A full markup of the National Cyber Director Act is slated for July 1 in the House Armed Services Committee. The senate’s version of the National Defense Authorization Act simply recommends a study on the “feasibility and advisability” of creating a national cyber director.
The White House is reportedly resistant to the idea of creating a cyber director. However, the administration’s position will become clearer when it ultimately responds to the full Solarium Commission report, as it is required by law to do.
Copyright © 2020 IDG Communications, Inc.