Pressure to create a White House position to coordinate the executive branch’s cybersecurity efforts heated up this week after a key government auditing office described the position as “urgently needed.”
“The private sector is at the front lines of cybersecurity – the main effort," said Rep. Michael Gallagher, R-Wis. "Right now, who do they look to in a crisis? It would ideally be a combination of a cyber director and the head of CISA," or the Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Throughout the Obama administration, into the early days of the Trump administration, the White House called upon a cybersecurity coordinator, a senior National Security Council official, to made sure that all the agencies rowed in the same direction when protecting data and system. But the duties of the cybersecurity coordinator were absorbed into other leadership during the tenure of John Bolton as national security advisor in an effort to streamline decision making.
Since then, there has been bipartisan support to reintroduce the position in one form or another. The Cyber Solarium Commission, often described as “a 9/11 Commission for cybersecurity without a 9/11” and which Gallagher co-chairs, suggested a national cyber director – akin to the White House trade adviser, to head cyber oversight and coordination. The position is under discussion for the National Defense Authorization Act, the must-pass bill funding the military.
“My nightmare is a crisis happens and everyone is pointing fingers at everyone else,” Gallagher’s co-chair Sen. Angus King, I-Maine, told SC Media.
The lack of an authority figure to make sure that all agencies are operating in sync and in coordination with the private sector was the impetus behind a Government Accountability Office report released Tuesday. The GAO, Congress’s non-partisan research and auditing group, did not specifically endorse what the name or standing of that position would be, though a cyber director is the option closest to implementation.
King noted that it is important to have the architecture to respond effectively to a crisis before it’s needed.
"The COVID-19 pandemic is a good example,” said King. “You don’t want to be standing up the structures in the middle of a crisis.”
The report emphasizes the importance of placing leadership in the White House close to the president, as a show of influence; that role would referee in disputes and proctor to keep everyone on track. King and Gallagher both add that the cyber director would be an adviser whose attention would stay on cybersecurity matters during other crises – preventing one disaster from being forgotten due to another.
The Solarium considered several models for introducing a cyber director-type position, including creating an independent agency and cabinet official, which they dismissed as taking too long to establish, politically infeasible, and "needlessly bulking out government.”
“When I came into this, I was skeptical of new positions,” said Gallagher. “But it became clear that this is the least bureaucratic solution.”
If the government waited until a 9/11-level cyber event, he fears, the result would be a much more hasty, much more costly solution in the fog of the crisis.
The cybersecurity director would have the ability to review budgets, but the real power of the position would come from its advisory role to the president. It would not, for example, be in the chain of command for cyberwarfare.
And the lack of authority is something of a paradox, noted Andy Grotto, who worked on cyber issues at the National Security Council under both President Obama and Trump and is now a William J. Perry International Security Fellow at Stanford’s Cyber Policy Center.
“The authority of a cybersecurity coordinator rests in the prestige of the office and the barriers between that office and the president,” he said. “If the president didn’t want a cybersecurity coordinator, the president would ignore the one Congress created."