A Cyber Opportunity: Priorities for the First National Cyber Director
Despite the negative headlines surrounding the SolarWinds hack, President-elect Joe Biden and Vice President-elect Kamala Harris will soon inherit an executive branch moving slowly in the right direction on cyber security. But there is still a great deal of work to do to accelerate the pace of change in pursuit of improved federal cyber security as well as public-private collaboration on the issue. The National Defense Authorization Act for Fiscal Year 2021 , which just became law, provides a number of the tools necessary to move the country forward, with nearly 70 cyber-related provisions, 27 of which implement recommendations from the Cyberspace Solarium Commission’s March 2020 report. The most urgent and important provision among all 70 is the creation of the Office of the National Cyber Director.
The national cyber director will fill several important leadership roles in the White House that have been either missing entirely or lacking in practical effectiveness over the past four years, and in some respects over the past four administrations. The national cyber director will serve as the president’s principal adviser on cyber security and associated emerging technology issues, overseeing and coordinating federal government activities to defend the United States in the face of adversary cyber operations. The national cyber director will also serve as a primary point of contact with the private sector as well as state and local governments.
Setting up a new Cabinet-level office inside the Executive Office of the President is always a challenge, but doing so amid a presidential transition — and in the immediate aftermath of a crisis like the SolarWinds hack — significantly complicates the process. Yet one of the starkest lessons for cyber security that can be learned from the recent pandemic is that centralized White House leadership is critical in times of crisis to coordinate federal response efforts and liaise with critical private-sector stakeholders. The following is some advice from the Cyberspace Solarium Commission staff who helped develop the recommendation for a national cyber director on how the incoming Biden administration, which has signaled that it will prioritize cyber security, can get started.
An Office with a Mandate
The Biden administration should rapidly announce its nominee for the national cyber director and prioritize this person’s confirmation through the Senate. Even in advance of the confirmation, the administration can begin staffing the office. The staffing effort should balance all available hiring authorities — to bring in personnel from outside the government — and specify which departments and agencies can offer detailees to the office in order to efficiently build its 75-member staff. The goal should be to have the office up and initially functioning with 25 staffers by March 1 and fully functioning with 75 personnel by May 1.
With the backing of a fully functioning office, the national cyber director, once confirmed, can quickly build appropriate peer relationships and interoperability between the Executive Office of the President and the Office of Science and Technology Policy, the National Economic Council, the Domestic Policy Council, the Office of Management and Budget, and the National Security Council, on whose Principals Committee the national cyber director will sit.
At the same time, the national cyber director will need to rapidly build relationships with relevant Cabinet officials and department and agency leaders. This is important not only to establish the national cyber director’s role as the implementer of the president’s national cyber policy, but also to gain a better understanding of where each relevant department and agency currently sits with regard to cyber priorities and capabilities. This will include both the cyber security of the departments’ and agencies’ own departmental IT systems and their relationship with assigned civilian infrastructure sectors (i.e., energy, water, pipelines, etc.).
As the March 2020 Cyberspace Solarium Commission report highlighted and assessments by the Government Accountability Office have routinely underscored, there is a wide variance among federal departments and agencies regarding their attentiveness to cyber security as an issue, their engagement with assigned critical infrastructure sectors, or both. As the Fiscal Year 2021 National Defense Authorization Act now codifies these agencies in law as “sector risk management agencies,” it is crucial for the national cyber director to understand each agency’s strengths and weaknesses as the national cyber director works with and through sector risk management agencies to improve the cyber security posture of America’s critical infrastructure.
Finally, the national cyber director should assume leadership of the Cyber Response Group and Cyber Unified Coordination Group. These groups were created by Presidential Policy Directive 41. The Cyber Response Group coordinates the development and implementation of cyber policy, and the Cyber Unified Coordination Group is stood up as required to coordinate between federal agencies, and to integrate private sector partners, during incident response efforts. The work of both these groups should be accountable to the national security adviser via the national cyber director.
Strategy and the Tools to Implement
With the office in place, a national cyber director nominated, and relationships established between the office and relevant departments and agencies, the national cyber director can then start building the president’s national cyber security strategy. The 2018 National Cyber Strategy is not a bad place to start, but it is missing some important elements, like a detailed roadmap for building public-private collaboration, and the integration of defend forward and persistent engagement into the broader national strategy.
An effective national strategy for cyberspace should explicitly synchronize the activities and objectives of key stakeholders, including state and local governments and the private sector. It should also identify core lines of effort, like prioritizing the security of critical infrastructure, integrating and leveraging all aspects of U.S. national power, and improving the security of the broader national cyber ecosystem. In building the strategy, the national cyber director should also prioritize working with the national security adviser and the director of national intelligence to properly articulate America’s offensive cyber strategy.
The national cyber director will likely need to build an international coalition to implement aspects of the strategy, which includes advocating for norms, reinforcing confidence-building measures, responding diplomatically to cyber threats, and building capacity in America’s partners and allies to promote cyber security and combat cyber crime. Thus, the national cyber director should work with the Department of State to reprioritize international cyber engagement through the formation of the Bureau of Cyberspace Security and Emerging Technologies. While certain aspects of the formation of the bureau, like creating an assistant secretary-equivalent position to head the office, will eventually require congressional support, the national cyber director can get the process started by working with the secretary of state to establish the bureau.
The national cyber director will also need to support the Joint Cyber Planning Office, newly created through the FY2021 National Defense Authorization Act, to ensure effective implementation of the new National Cyber Strategy. The Joint Cyber Planning Office is intended to coordinate cyber security planning and readiness across the federal government and between the public and private sectors. The national cyber director should work with this office early both to provide intent and direction for initiatives like Continuity of the Economy planning and to ensure fulsome cooperation by the interagency with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which will run the office on a day-to-day basis.
Engage the Private Sector
Beyond the Joint Cyber Planning Office, the national cyber director should build a stronger relationship between the federal government and the private sector. While the Cybersecurity and Infrastructure Security Agency should remain the operational arm of the U.S. government for cooperation with the private sector on cyber security, the national cyber director should serve as the high-level point of contact within the White House for executives on cyber security. The national security adviser, who now often fields these calls, should particularly appreciate this national cyber director tasking.
The national cyber director’s role with the private sector does not end with relationship building. The national cyber director will play an integral role in shepherding a number of new initiatives aimed at working more closely with the private sector, including the maturing of sector risk management agencies and initiating continuity of the economy planning. More broadly, the national cyber director will need to identify efficient ways to share cyber intelligence and information with the private sector and build a process to collaborate on its analysis — through something like a joint collaborative environment, which would allow the federal government to share threat information in real time, both internally and externally. The national cyber director will also grapple with ways to better enable private-sector cyber defense and incentivize the creation of a more secure and defensible cyber ecosystem.
An Eye on What Comes Next
The national cyber director will likely be the best person equipped to look into the short- and long-term future to determine what capabilities the U.S. government should develop and prioritize. Although too late for SolarWinds, a number of needed changes just became law through the National Defense Authorization Act. These include increased authorities for threat hunting on federal networks and increased funding for hunt and incident response teams, the capability at the Cybersecurity and Infrastructure Security Agency that, in the agency’s words, “provides incident response, management and coordination activities for cyber incidents occurring in the critical infrastructure sectors as well as government entities at the Federal, State, Local, Tribal, and Territorial levels.” These are important changes, but Congress may need to do more, and the national cyber director will need to determine what additional authorities the U.S. government requires to better work with the private sector and accomplish its cyber missions.
A good place to start would be to review the remaining legislative recommendations from the Cyberspace Solarium Commission that Congress has not yet adopted as well as the recommendations for the executive branch and U.S. industry that still require additional action. In particular, creating a “cyber state of distress” would allow the Cybersecurity and Infrastructure Security Agency to unlock funds to reimburse Department of Defense operators acting under defense support to civil authorities to augment incident response and recovery capabilities in times of crisis.
Moore’s law, familiar to many in the cyber world, posits that the number of transistors on a circuit board will double every 18 months, and with it, our computing power. Cyber policy follows a similar law, wherein circumstances constantly shift and new policies and laws are required roughly every 18 months. The White House should be agile enough to keep pace. The Office of the National Cyber Director is a step in the right direction, but its first 18 months will be critical for ensuring not only its success, but also that of the nation. The national cyber director should construct the office, develop a new strategy, and possibly work with lawmakers on further laws.
In sum, the national cyber director should be ready and equipped to lead the executive branch through the next set of cyber security challenges, whatever they may be.
Mark Montgomery is senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and senior adviser to the chairmen of the Cyberspace Solarium Commission. Follow Mark on Twitter @MarkCMontgomery.
Robert Morgus is a senior director for the U.S. Cyberspace Solarium Commission, where he directs research and analysis for Task Force Two. At the commission, Morgus has led the development of the ecosystem pillar of the commission’s final report as well as the Pandemic White Paper and the Supply Chain White Paper. Previously, he helped build New America’s Cybersecurity Initiative, where he headed the organization’s international cyber policy work.