Establishing a National Cyber Director Would Be a Mistake
A recent proposal from the Cyberspace Solarium Commission would solve few problems and create many.
Published by The Lawfare Institute
in Cooperation With
In March, the congressionally established Cyberspace Solarium Commission recommended establishing the position of a national cyber director within the Executive Office of the President, with a staff of 50 people. On July 15, the House Committee on Oversight and Reform held a hearing on this proposal. Cybersecurity is essential to the national and economic security of the United States, but establishing a national cyber director will solve few problems and create many, including confusion over roles and responsibilities and redundant layers of bureaucratic review.
To evaluate the proposal, the best place to start is to ask, what are its intended objectives? The commission’s co-chairmen offer two. First, “We need to elevate and empower existing cybersecurity agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA)[.]” Second, “We need to … create new focal points for coordinating cybersecurity in the executive branch and Congress.” Let’s look at these rationales.
First, the commission proposes elevating and empowering agencies. The “big three” agencies for cybersecurity are the Department of Justice, the Department of Defense/intelligence community and the Department of Homeland Security. Neither of the first two needs any elevation of its focus on cyber or an increase in its ability to access the president. Cybersecurity has been a focus of both going back to the 1990s. I was a cybercrime prosecutor at the Justice Department in 1995, and the National Security Agency has an even longer history of working on cyber issues. Moreover, the secretary of defense, the attorney general and the FBI director already have positions and authorities that provide strong access to the president and White House.
Perhaps that is why the commission report focuses on elevating the prominence of CISA within Homeland Security. But if CISA is the only major agency that is currently underequipped, there is a much simpler solution: give CISA a larger budget and stronger authorities, as the commission recommends elsewhere. And if that is not enough, then make CISA an independent, Cabinet-level agency with direct access to the president.
In contrast, creating a new Office of the National Cyber Director within the Executive Office of the President would do little to elevate CISA. In fact, it would likely have the opposite effect: reducing the influence of CISA as the new national cyber director works to clear some bureaucratic space by asserting authority and throwing some elbows.
The concern about undercutting the authorities of CISA is amplified by the legislation introduced to implement the recommendation. Among other things, that legislation gives the national cyber director the authority to develop defensive response plans for cyber incidents, direct that response, and coordinate with the private sector on both planning and operational response. Those seem like appropriate authorities for CISA—not a White House office—especially once you go beyond general assignment of responsibilities and processes such as those specified in PPD-41, “United States Cyber Incident Coordination.” The commission concluded that these functions require interagency leadership. But if so, why does the authority of the national cyber director extend only to Homeland Security functions and not Defense, intelligence or counterintelligence functions?
In this regard, the proposed national cyber director position simply isn’t “national.” According to the commission’s report, the director would coordinate cyber strategy and policy as well as “federal government activities to defend against adversary cyber operations inside the United States.” The report makes clear that the national cyber director will have absolutely no authority with regard to military, intelligence or counterintelligence activity. Instead, the director would be “kept fully apprised of those activities.” (If you haven’t spent much time in Washington, “kept fully apprised” means you don’t have a vote.) If Congress goes forward with this proposal, let’s be clear and title the position appropriately: the “national director of domestic cyber defensive and other activities that the Defense Department and the intelligence community care little about.”
The proposal also has a second objective of establishing new focal points for coordinating cybersecurity in the executive and in Congress. Again, what would the new Office of the National Cyber Director solve? Fixing congressional oversight requires reform in Congress. But creating a new bureaucracy doesn’t solve that problem. And there are more effective ways to ensure coordination within the executive branch. In fact, the White House had a solution that worked well: having a cybersecurity coordinator in the National Security Council. The government has had effective and successful people in that position—Howard Schmidt, Michael Daniel and Rob Joyce—but eliminated the position when Joyce left the White House. Instead of crafting a new proposal, perhaps we should return to something that worked.
Because “cyber” is of ever-increasing importance, the cybersecurity coordinator position could be elevated to that of an assistant to the president or deputy assistant to the president. This would not require creating a new bureaucracy, which would likely involve years of dispute and dysfunction, but would instead use the existing National Security Council apparatus honed over many decades. It would avoid bureaucratic infighting between the national security adviser and the national cyber director. Finally, it would avoid siloing cyber and physical security issues from each other—a key issue that I thought had been settled for good by giving CISA responsibility for protecting critical infrastructure from both physical and cyber hazards.
Contrary to this view, Michael Daniel believes that using the National Security Council to coordinate cybersecurity won’t work. Achieving cybersecurity requires work with the private sector, but Daniel argues that the National Security Council “is built to be internally facing, and it has strict limits on how its staff can interact with the private sector.” He is correct, but there is no perfect solution. The problems stemming from limitations on working with the private sector are to me outweighed by the advantages of the use of National Security Council processes, such as the ability to address physical and cyber threats, to include all types of government responses (such as military and law enforcement), and to preserve CISA’s existing expertise and authority. Moreover, the National Security Council can direct appropriate departments and agencies in the exercise of their authorities, which for the Department of Homeland Security and CISA includes precisely the type of private-sector collaboration that is an objective of this effort.
Finally, implicit in the second objective of better coordination is the desire to elevate cybersecurity in the Executive Office of the President so that it receives greater, government-wide attention. This is a fair point, since bureaucracies like the proposed White House office can help sustain momentum even as political winds and personal priorities change. But the juice may not be worth the squeeze. The influence and focus of any White House office varies with the president’s priorities. Real policy persistence stems from empowered and effective agencies and agency programs. Moreover, in the proposed legislation, the national cyber director’s authority would remain subservient to the national security adviser on national security issues. But in my mind almost all cybersecurity issues are national security issues, which undercuts the value of a statutory cyber office within the White House that is secondary on such matters.
If you want to improve the United States’s cybersecurity capabilities, avoid, as Mieke Eoyang and Anisha Hindocha put it, creating a new White House position with “a pastiche of responsibilities, authorities, structures and resources, which will set up this important office to fail[.]” If you want to “coordinate” effectively, then require the National Security Council to take up the issue fully using its existing processes. If you want to elevate cyber, and giving CISA a larger budget and more authorities is not enough, then make CISA an independent, Cabinet-level agency. Those activities—not a national cyber director—are the best means to elevate the importance of “cyber.”