The Office of the National Cyber Director (ONCD) was created in part to help bring coherence to the roles and responsibilities that different civilian agencies play in cybersecurity policy. When the office was first stood up, it was given the mission of coordinating cybersecurity work across civilian agencies, but had relatively few actual authorities beyond the ability to review budgets and make recommendations to agencies or the White House.
The Proactive Cyber Initiatives Act of 2022, introduced by Rep. Eric Swalwell, D-Calif., would seek to bolster those powers, adding language to federal law that explicitly puts the ONCD in charge of “deconflicting overlapping jurisdictions between agencies regarding cybersecurity activities and authority to mitigate risks.”
It would mandate that the head of each department and agency implement regular penetration testing for moderate to high-risk government systems and report their findings to the ONCD and the Office of Management and Budget. While civilian agencies are already required to prioritize and secure high-value systems and data under a binding operational directive from the Cybersecurity and Infrastructure Security Agency, the tests will also feed into a number of reports to the executive branch and Congress that will look at whether additional laws or authorities are needed.
The bill would also tee up reports to Congress from the national cyber director, the Department Defense, intelligence agencies and others studying the government’s use of active defense techniques such as deception technology and continuous monitoring solutions.
“Cybercrime is increasingly putting American families, businesses, and government agencies at serious risk. For too long, we have been addressing vulnerabilities only after a breach occurs,” Swalwell said in a statement. “My bill shifts the focus to one that is more proactive and innovative to protect our most critical infrastructures.”
More than just reviewing agency cybersecurity budgets
There has been an active debate around what hard authorities the ONCD should have since it was first pitched through the Cyberspace Solarium Commission. The law gives the office the ability to review agency cybersecurity budgets and it is reportedly leading the federal government’s new cybersecurity strategy. Beyond that, there are few, if any, forcing functions to compel agencies.
“Although the director has a long list of statutory duties under…the National Defense Authorization Act for Fiscal Year 2021, none amounts to anything more than the same advise-and-coordinate functions of most presidential aides,” wrote Devin DeBacker, a lawyer who served stints in the White House and Department of Justice, last year in Lawfare.
While National Cyber Director Chris Inglis has embraced the role as a coordinator between federal agencies, critical infrastructure and the private sector since and talks frequently about bringing more clarity to different roles and responsibilities in cyberspace, he has also expressed hesitance at times about the NCD becoming an all-deciding entity for settling disputes over cyber jurisdiction that some have called for.
The overwhelming complexity of modern IT and operational technology, as well as the distributed ownership and responsibility across the public and private sector, makes it difficult for any one entity to impose top-down solutions or policy.
“A favorite question in Washington essentially runs like ‘Well, given that there’s all these creatures in this space, who’s in charge?' And the thinking is that perhaps this is hierarchical, a stovepipe unto itself, and we can essentially subordinate all of them to some kind of overlord and we can get this right because someone is actually calling out the orders, the script, moment by moment,” said Inglis in a speech at the Global Privacy Summit in April. “It can’t work that way in the diversity of this space.”