Coordination is king in cyber, and yet that’s what the Trump White House decided to do without in 2018, when then-National Security Advisor John Bolton abolished a White House cybersecurity coordinator position as a bureaucratic redundancy.
Bolton in his new book, “The Room Where It Happened,” may be spot-on regarding President Trump’s transactional and ineffective approach to China, and the president’s inexplicably indulgent policy toward Russia. But it was Bolton’s call to eliminate the cyber post after former coordinator Rob Joyce decided he wanted to leave the Trump White House.
A National Security Council spokesman said in May 2018 that two “senior directors” on the NSC staff would pick up the portfolio from Joyce. “Moving forward, these Senior Directors will coordinate cyber matters and policy. As they sit six feet apart from one another, they will be able to coordinate in real time.”
Proximity might help in shuffling papers between the two staffers, but it missed the point. The position itself was a signal to the rest of government and the public that cybersecurity was a paramount issue; the coordinator, as the role was defined by Joyce’s Obama-era predecessor Michael Daniel, was a national and international evangelist on cyber.
It addressed the jurisdiction-hopping nature of cyber and created a space for figuring out whether and how activities at one department meshed with others. And, it ensured one high-level official and government office was focused on cyber and nothing else, which is particularly relevant given the conflicting demands that always pulled at the Homeland Security secretary and other cabinet leaders.
Fast-forward to 2020 and a highly touted Cyberspace Solarium Commission composed of lawmakers, current and former government officials, and cybersecurity experts attempted to correct that seminal blunder.
The landmark Solarium report released in March recommended the creation of a national cyber director position — a much-stronger version of the coordinator role, with budgetary and other powers to oversee the government’s complex and far-flung cyber efforts.
Congress chartered the Cyberspace Solarium Commission in the 2019 annual defense policy bill and many of its recommendations were folded into the House and Senate versions of this year’s National Defense Authorization Act. The NDAA has passed both chambers and is now the subject of final negotiations.
The National Cyber Director provision is in the House version but didn’t make the cut in the Senate.
The Senate Armed Services Committee on Tuesday will hold a hearing on the Solarium report, and the commission’s co-chairs — Sen. Angus King (I-Maine) and Rep. Michael Gallagher (R-Wisc.) — will appear as witnesses and try to make the case for the new position.
They say it’s the linchpin to successfully implementing everything else in their report intended to strengthen the U.S. government’s structure and approach to cyber, better define the military’s role and deepen collaboration with the private sector.
“The key is to have someone in charge overall,” King said as a witness at a recent House Homeland Security hearing. “There’s no person with the authority of the White House to settle turf wars, to oversee budgets and forge cooperation through the various agencies involved.”
The Trump administration and some key Republican senators raise concerns about creating a vast new bureaucracy within the Executive Office of the president. They ask how a national cyber director’s office would interact with other key players on cyber, including the Cybersecurity and Infrastructure Security Agency at DHS.
Sen. Mike Rounds (R-S.D.), who chairs the Armed Services cyber subcommittee, is among the skeptics.
But Solarium Commission members and staff say they are eager to work out those details, and that this new position is essential to successfully implementing the panel’s 80-plus recommendations.
Solarium Commission Executive Director Mark Montgomery said that while there’s no guarantee the two chambers will draft specific legislation, he and the commission will work to get as many of the provisions into the final legislation.
He also noted he is most interested in the national cyber director and economic planning provisions.
Rhode Island Democratic Rep. Jim Langevin, a Solarium Commission member, also signaled optimism that creation of a national cyber director would be approved.
Melissa Hathaway, who helped formulate cyber policy for both Presidents Obama and George W. Bush, offered strong support for a national cyber director position, though she noted the inevitable presidential opposition saying, “It’s hard to tell any president this is what you have to do.”
Still, she acknowledged that whoever it is, a national cyber director needs to sit in the White House, close to the National Security Council, National Economic Council and the Office of Science and Technology Policy.
With negotiations underway on the final version of the must-pass national defense bill, lawmakers have one more chance this year to position the United States for confronting a cybersecurity challenge that grows more dangerous at every turn.
The nation’s approach to cybersecurity needs to be crystalized and requires focused leadership. As a big first step in that direction, creating a national cyber director is about as close to a consensus recommendation among cyber experts as we’re likely to see.
Charlie Mitchell is author of “Cyber in the Age of Trump: The Unraveling of America’s National Security Policy.” He is co-founder and editor of InsideCybersecurity.com.