How the President Can Shape the Role and Oversight of the National Cyber Director

Devin DeBacker
Monday, December 6, 2021, 8:01 AM

The national cyber director’s lack of independent legal authority, combined with Senate confirmation, gives the president broad latitude to shape this role and authority within the executive branch.

Former defense secretary Ash Carter shakes hands with then-Vice President Joe Biden after meeting with the National Security Council. (Photo by U.S. Secretary of Defense)

Published by The Lawfare Institute
in Cooperation With
Brookings

The White House has its first Senate-confirmed national cyber director, but the position’s role in the executive branch hasn’t been spelled out yet. President Biden’s May executive order on cybersecurity deferred defining the national cyber director’s role until after his office was up and running. How could the president shape the position? Specifically, how do the national cyber director’s legal authorities affect the president’s ability to fashion the director’s role in the executive branch, and how do those authorities affect external oversight of his office?

The national cyber director advises and assists the president in exercising the president’s own authority but does not have any significant legal authority independent of the president. Like other Senate-confirmed presidential aides, the national cyber director can be delegated presidential authority, giving the president broad latitude to shape the director’s role in ways that are not available for most White House aides. Unlike other Senate-confirmed presidential aides, though, the national cyber director’s lack of independent authority implicates additional separation of powers constraints on congressional oversight directed to the White House and exempts the office from public access under the Freedom of Information Act.

The National Cyber Director Lacks Independent Legal Authority

As far as the national cyber director’s legal authority goes, the director is no different from the typical presidential adviser. Although the director has a long list of statutory duties under Section 1752(c) of the National Defense Authorization Act for Fiscal Year 2021 (FY2021 NDAA), none amounts to anything more than the same advise-and-coordinate functions of most presidential aides. The director “serve[s] as the principal advisor to the President on cybersecurity policy and strategy.” In addition, the director:

  • “[O]ffer[s] advice and consultation” to the National Security Council (NSC) and other agencies on “the development and coordination of national cyber policy and strategy, including the National Cyber Strategy[.]”
  • “[L]ead[s] the coordination of implementation of national cyber policy and strategy, including the National Cyber Strategy,” by “monitoring and assessing” the implementation” and “making recommendations”; “reviewing” and “advising” on agencies’ proposed budgets for consistency with national cyber policy; and “coordinating” with various officials “on the streamlining of” cyber policies.
  • “[L]ead[s] coordination of the development” and implementation of “integrated incident response to” significant cyber incidents.
  • “[P]repar[es]” the federal government’s plans for responding to significant cyber incidents, including “developing” “operational priorities, requirements, and plans” for the president’s approval, “ensuring incident response is executed consistent with the[se] plans,” and “ensuring” consultation with “relevant private sector entities[.]”
  • [C]oordinate[s] and consult[s] with private sector leaders on cybersecurity and emerging technology issues in support of, and in coordination with,” relevant officials.
  • “[A]nnually report[s] to Congress on cybersecurity threats and issues facing the United States.” 

The only enumerated function that comes close to suggesting anything more than advice and assistance is the director’s role in “preparing” the government’s playbook for cyber incident response. But the director prepares those plans for the president’s approval. And although the director is statutorily responsible for “ensuring” that those plans are carried out, the director has no operational authority or other authority to force anyone else in the government to take (or refrain from) actions that the director believes to be consistent (or inconsistent) with those plans. 

Section 1752(f) is clear on that point. The law establishing the national cyber director does not “modify[] any authority or responsibility, including any operational authority or responsibility of any head of a Federal department or agency.” The director has no power “to interfere with or to direct” “a criminal or national security investigation, arrest, search, seizure, or disruption operation”; “a military operation”; “any diplomatic or consular activity”; or “an intelligence activity, resource, or operation.” Congress also has not given the director any power “to modify the classification of intelligence information.”

So the national cyber director has no independent authority (other than the power to hire staff under Section 1752(e)). He can review and recommend changes to cybersecurity-related budgets, but cannot force agencies to revise them. He can develop playbooks to harden cybersecurity infrastructure and respond to incidents, but cannot effectuate them on his own, must have them approved by the president, and cannot force any particular actions to be taken. He can “promulgate such rules and regulations as may be necessary to carry out the functions, powers, and duties vested in the Director,” but these rules and regulations cannot give him any authorities beyond those granted by statute.

The upshot is that the national cyber director is just another presidential adviser under the executive branch’s view of the law. What does that mean? 

First, because Congress has not purported to impose any legal obligation on the president to nominate anyone when the director’s position is vacant, the president has discretion over whether to nominate anyone to fill a vacancy in the role. That discretion makes the national cyber director similar to its predecessor, the cybersecurity coordinator position within the NSC that presidents have discretionarily created and eliminated

Second, even when there is an appointed national cyber director, the president determines whether, to what extent, and on what issues he seeks the director’s advice. The executive branch’s position is generally that the president gets to choose who to turn to for advice, even if Congress has created a specific position to advise on a specific subject. Under this viewwhich grew in part out of the executive branch’s long-standing constitutional concerns about subjecting close presidential advisers to Senate confirmationCongress cannot constitutionally require the president to seek advice on a particular subject from a particular official and cannot prohibit the president from seeking advice on that subject from others. Federal courts have suggested the same. And as the Congressional Research Service acknowledges, “nothing precludes the President from consulting” with other White House aides “on issues that the codified positions would have jurisdiction over.” So the president does not have to seek the national cyber director’s advice on cybersecurity and can seek the advice of others—just as with any other White House adviser. Thus, the national cyber director’s influence and authority, like that of other presidential advisers, depends on the strength of his relationship with the president and politics.

The President’s Power to Shape the National Cyber Director’s Role 

There’s one important difference between the national cyber director and most other White House advisers (including prior presidentially designated cybersecurity coordinators): The former requires Senate confirmation. That difference is legally significant: The president can delegate authority to the national cyber director. Under 3 U.S.C. § 301, presidential authority and functions may be delegated to “the head of any department or agency in the executive branch, or any official thereof who is required to be appointed by and with the advice and consent of the Senate.” That rules out the usual cadre of White House advisers and aides, who ordinarily are neither Senate confirmed nor department or agency heads. But as a Senate-confirmed official, the national cyber director can be delegated presidential authority. 

The national cyber director is not unique among presidential advisers in this respect. There are a few Senate-confirmed advisers in the Executive Office of the President (EOP), such as the director and deputy director of the Office of Management and Budget, the director of national drug control policy, the director of the Office of Science and Technology Policy, and the U.S. trade representative. Although the president could have lawfully delegated cybersecurity-related authority to one of these preexisting Senate-confirmed advisers, it wouldn’t have made much sense to do so; none of them has any particular focus on or expertise in cybersecurity. 

So one place to look for clues as to the national cyber director’s importance and role in the executive branch is whether the president expands the role beyond advice and assistance by delegating presidential authority to the office. President Biden’s May executive order on cybersecurity punted on the national cyber director’s formal legal role. The executive order noted only that, once the office was filled and established, the order “may be modified to enable the [national cyber director] to fully execute its duties and responsibilities.” 

Once the national cyber director is settled in, what are some ways that the president could shape his role?

Cyberattack Response Playbook. As explained above, Section 1752 authorizes the national cyber director to “prepar[e]” the federal government cyberattack response playbook for the president’s approval. But the president could authorize the national cyber director to prepare those plans without the need for his approval. 3 U.S.C. § 301 authorizes the president not only to delegate authority but also to authorize a Senate-confirmed official like the national cyber director to “perform without approval, ratification, or other action by the President … any function which such officer is required or authorized by law to perform only with or subject to the approval, ratification, or other action by the President.”

National Cybersecurity Reporting Requirement for the Private Sector. Under the International Emergency Economic Powers Act (IEEPA), the president has broad authority to impose record-keeping and reporting requirements in exercising IEEPA authorities. As I have explained elsewhere, the president could delegate this authority to the national cyber director to establish comprehensive national requirements on the private sector to report foreign cyberattacks to the federal government (if Congress does not get to it first).

Cybersecurity-Related Reports. Congress requires the president to submit regular reports on various subjects related to cybersecurity. For example, the president must submit an annual report on foreign economic espionage in cyberspace (currently handled by the National Counterintelligence and Security Center in the Office of the Director of National Intelligence). The president must also submit recurring reports to Congress on his use of authority under IEEPA, including the malicious cyber-enabled activities sanctions program under Executive Order 13694 (administered by the Department of the Treasury) and review and licensing programs for the information and communications technology and services (ICTS) supply chain under Executive Order 13873 and for software linked to foreign adversaries under Executive Order 14034 (both administered by the Department of Commerce). While the president is unlikely to entirely shift these reporting duties away from the agencies responsible for administering the underlying sanctions programs, the president could make the national cyber director jointly responsible for some of these reports or add the director to the list of required consultees.

Cybersecurity-Related Sanctions and Licensing Programs. The Department of the Treasury’s Office of Foreign Assets Control administers the U.S. economic sanctions program for malicious cyber-enabled activities, and the Department of Commerce administers a review and licensing program for the ICTS supply chain and for software linked to foreign adversaries. Because these programs were created by the president’s authority under IEEPA, the president could modify them to include a role for the national cyber director. Although the Department of the Treasury and the Department of Commerce (to a lesser extent) have the experience and preexisting structure for administering these kinds of programs, these agencies have comparatively less expertise than the national cyber director when it comes to cybersecurity. Thus, it may make sense to leverage the director’s cyber-specific expertise by including a role for him in these programs. For example, the president could explicitly add the national cyber director to the list of required consultees for identifying prohibited transactions in the ICTS supply chain or sanctioned cyber-enabled malicious activities, or require the secretaries of the Treasury and Commerce to consult the national cyber director about the attribution of cyberattacks. Likewise, Treasury and Commerce could alter their regulatory processes for these programs by carving out a specific role and procedure for the national cyber director to provide information about the cybersecurity-related risks and technical data that may be relevant in evaluating prohibited transactions and proposed licenses.

Original Classification Authority. Although Section 1752 does not authorize the national cyber director to modify the classification of intelligence information, this statutory limit merely means that Congress has not given the director original classification authority. However, the president could use his constitutional authority to delegate original classification authority to the national cyber director. President Obama, for example, delegated original classification authority to his chief of staff, national security adviser, homeland security adviser, director of national drug control policy, director of the Office of Science and Technology Policy, and the chair of the President’s Intelligence Advisory Board. 

Sharing Cyber Threat Information With the Private Sector. President Obama created a mechanism for disseminating the government’s cyber threat information to critical infrastructure owners and operators, and instructed the director of national intelligence to establish the Cyber Threat Intelligence Integration Center to centralize and lead intelligence related to foreign cyber threats and cyber incidents affecting U.S. national interests. The national cyber director—as the lead presidential adviser on cyber and the executive branch coordinator for national cyber policy, programs, and response—will have to have some access to and involvement in these programs to do his job. So President Biden will have to decide the extent to which these programs need to be modified to incorporate the national cyber director.

Defense Production Act. Under the Defense Production Act (DPA), the president has various powers to mobilize industry and resources for national defense. The president or his delegees can, among other things, (1) require the private sector to accept and prioritize contracts that “he deems necessary or appropriate to promote the national defense”; (2) “allocate materials, services, and facilities” however “he shall deem necessary or appropriate to promote the national defense”; (3) provide loans, loan guarantees, or grants to ensure a sufficient domestic supply for “industrial resources,” “materials,” and “critical technology items” that are “essential to the national defense”; (4) establish voluntary agreements with private manufacturers, distributors, and others to share information and act cooperatively in ways that may otherwise subject them to antitrust liability, without fear of liability; and (5) compel the private sector to provide information that that “may be necessary or appropriate, in his discretion,” to enforce or administer his DPA authorities.

How these authorities could specifically be used for cyber is beyond the scope of this post. For now, it’s sufficient to point out that these authorities are broad enough to include many aspects of cyber policy. These authorities extend to, for example, “materials,” “services,” and “critical technology items” that are essential to the “national defense.” “Materials” include not only physical items but also “any technical information or services ancillary to” their use. “Services” include “any effort that is needed for or incidental to,” for example, “the development, production, processing, distribution, delivery, or use of an industrial resource or a critical technology item” and “other national defense programs and activities.” A “critical technology item” is any “material[] directly employing, derived from, or utilizing a critical technology,” which “includes any technology designated by the President to be essential to the national defense.” “National defense” includes “homeland security” (the prevention of terrorism) and “critical infrastructure protection and restoration,” and the latter specifically “means any systems and assets, whether physical or cyber-based, so vital to the United States” that their “degradation or destruction” would “have a debilitating impact on national security including, but not limited to, national economic security and national public health or safety.”

In addition to delegating presidential authority, the president could include the national cyber director in various executive branch committees and task forces. For example:

Committee on Foreign Investments in the United States (CFIUS). Although CFIUS has nine statutorily prescribed members, the president has authority to add the “heads of any other executive department, agency, or office, as the President determines appropriate, generally or on a case-by-case basis.” While the usual presidential advisers do not qualify, the national cyber director does because he is the head of an “office.” Section 1752(a) of the FY2021 NDAA “establishe[s], within the Executive Office of the President, the Office of the National Cyber Director,” and Section 1752(b)(1) makes clear that this “Office shall be headed by the National Cyber Director.” The president could add the national cyber director to CFIUS in cases involving, for example, cybersecurity and data privacy.

Participation in Interagency Task Forces. At any time, the president has many intra- and interagency task forces and roughly 1,000 advisory committees. These include ones related to the national cyber director’s responsibilities, such as the Justice Department’s ransomware task force and the National Cyber Investigative Task Force.

Congressional Oversight of the National Cyber Director

The national cyber director’s role in the executive branch also has important legal consequences for congressional and public oversight of his office. 

The requirement of Senate confirmation may seem to subject the national cyber director to greater congressional and public oversight than the usual cadre of non-Senate-confirmed presidential advisers. But under existing law and the executive branch’s long-standing views, the national cyber director’s office will be as insulated from congressional oversight as other White House advisers and will be exempt from public scrutiny under the Freedom of Information Act.

Legally, the executive branch will treat the national cyber director like most other White House aides for purposes of congressional oversight, subjecting such inquiries to heightened scrutiny. Under the executive branch’s view, “[e]ven when Congress operates within the appropriate scope of its oversight authority, the Constitution places additional separation of powers constraints” on congressional inquiries directed to EOP components “whose principal function is to advise and assist the President in the discharge of the duties of his office.” These components include not only purely advise-and-assist components such as the NSC and the White House Office but also “dual-hat presidential advisers” outside the EOP who exercise “substantial independent authority or perform other functions in addition to advising the President” to the extent that oversight targets “activities implicating the advising ‘hat’ of those officials” (rather than the independent authority granted by Congress). According to the Office of Legal Counsel, the additional constraints arise from two interests that are “particularly acute with respect to White House advisers.” The first interest is autonomy: maintaining the independence of the presidency by “protect[ing] the ability of the White House to function effectively in advising and assisting the President” in his constitutional responsibilities. The second interest is protecting the “heightened confidentiality interests in White House communications,” which “more often implicate the deliberative process, the attorney-client communications and attorney work product, and particularly the presidential components of executive privilege.”

Like the NSC and the White House Office, the Office of the National Cyber Director is a purely advise-and-assist component that lacks independent authority, as explained above. In addition, both of the interests underlying the additional separation of powers constraints apply to the Office of the National Cyber Director with the same force as other EOP advise-and-assist components: With respect to autonomy, if “compliance with a subpoena that is excessively broad or intrusive might burden White House personnel to a degree that prevents them from effectively advising and assisting the President in the performance of his constitutional duties,” that concern would apply equally to the national cyber director. And regarding confidentiality, the communications and documents of the national cyber director—who “serve[s] as the principal advisor to the President on cybersecurity policy and strategy”—are just as likely to disproportionately implicate executive privilege as other advise-and-assist EOP components.

So under its current approach, the executive branch would subject congressional oversight targeting the Office of the National Cyber Director to the same additional separation of powers constraints as the NSC, the White House Office, and other EOP advise-and-assist components. What does that mean in practice? 

First, the executive branch will closely “scrutinize the asserted legislative purpose underlying a congressional request” and reject any oversight inquiries into “the discharge of functions exclusively entrusted to the President by the Constitution” (absent an impeachment inquiry). This constraint is not likely to be particularly meaningful for the national cyber director. His statutory functions largely relate to “subject[s] on which legislation could be had” rather than the president’s exclusive constitutional functions (“to pardon, to sign or veto legislation, to nominate and appoint officers of the United States, and to remove officers and other officials,” in foreign policy and diplomacy, and as commander in chief).

Second, the executive branch will require Congress to first “exhaust[] the possibility of obtaining the necessary information elsewhere” (such as from an agency) before directing its inquiry to the White House. This is likely to be a significant constraint. The national cyber director advises and coordinates national cyber policy and incident response across “all relevant Federal departments and agencies.” His office’s work potentially touches some aspect of nearly every other federal agency, such as the following:

  • Cyber-related intelligence in the Office of the Director of National Intelligence and the rest of the intelligence community. 
  • Cyber operations and defense involving the Department of Defense, the CIA, the Department of Homeland Security, the National Security Agency, the U.S. Armed Forces and others.
  • Cyber-related economic sanctions administered by the Department of the Treasury.
  • Cybersecurity and data privacy issues arising in cross-border investments and transactions reviewed by CFIUS and in telecommunications licenses reviewed by Team Telecom.
  • Law enforcement, counterterrorism efforts and legal advice by the Department of Justice. 
  • Export controls imposed by the departments of State and Commerce.
  • Technology acquisitions, operations, and audits by the Government Accountability Office.

Third, the executive branch will impose additional restrictions on how information is released in response to the rare congressional inquiry to the Office of the National Cyber Director that the executive branch views as appropriate (that “concerns statutory functions, is within the committee’s delegated oversight authority, and rests on a legitimate legislative purpose,” and “after the committee has attempted to seek such information from any relevant agencies”). For example, in deciding how to accommodate such inquiries, “[t]he White House does not ordinarily undertake the burden of reviewing and producing e-mails and other documents, which generally will consist primarily of deliberative communications within the White House or between the White House and other parts of the Executive Branch.” Instead, the Office of the National Cyber Director is likely to continue the White House’s “typical[]” practice of “providing written responses or oral briefings on relevant activities or policies, supplemented sometimes by the production of specific non-privileged documents.”

To be sure, the national cyber director is a Senate-confirmed position, and both the Senate committee handling confirmation as well as individual senators frequently ask nominees to commit to responding to congressional oversight as part of securing confirmation. Although appointees, once in office, sometimes feel a moral or political duty to respond as a result of those promises, those pre-confirmation promises do not confer any greater legal authority on the Senate to compel testimony. As the Congressional Research Services recognizes, “[w]hile promises made at confirmation hearings appear to have changed the practical relations between Congress and the executive” by sometimes increasing the likelihood of a voluntary response to oversight requests, these promises “have not changed the legal dynamic.” 

The bottom line? There is not likely to be much congressional oversight of the Office of the National Cyber Director other than what the executive branch is willing to voluntarily engage in.

Public Oversight of the National Cyber Director

Nor is there likely to be greater public access to the inner workings of the Office of the National Cyber Director. Although the Freedom of Information Act (FOIA) requires each “agency” to promptly produce records to any person who requests them subject to certain exemptions, an advise-and-assist component like the Office of the National Cyber Director is not an “agency” under existing law. Under the FOIA, an “agency” “includes any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President).” This definition specifically encompasses the EOP, but the Supreme Court in Kissinger v. Reporters Committee for Freedom of the Press (1980) concluded that Congress did not intend for “the President’s immediate personal staff or units in the Executive Office [of the President] whose sole function is to advise and assist the President” to be “included within the term ‘agency’ under the FOIA.”

Although courts have expressed various tests for determining whether an EOP unit is an agency subject to the FOIA, the U.S. Court of Appeals for the D.C. Circuit has explained that “common to every case” in which an EOP unit is an agency is its “wield[ing] substantial authority independently of the President.” Courts have held that the FOIA reaches, for example, the Office of Science and Technology (which had “independent authority to evaluate federal scientific research programs, initiate and fund research projects, and award scholarships”), the Office of Management and Budget (which has, among other things, “a statutory duty to prepare the annual federal budget”), and the Council on Environmental Quality (which “issue[s] guidelines to federal agencies for the preparation of environmental impact statements” and “issue[s] regulations to federal agencies for implementing all of the procedural provisions of the National Environmental Policy Act”). By contrast, EOP components that merely advise and assist the president are not agencies subject to the FOIA, such as the Office of Administration, the Task Force on Regulatory Relief, the Council of Economic Advisers, and the NSC.

The NSC is probably the most useful comparison in evaluating the Office of the National Cyber Director. Congress specified that the NSC’s functions are “advis[ing] the President” to ensure more effective “cooperat[ion]” among agencies in matters of national security, “assess[ing] and apprais[ing] the objectives, commitments, and risks” to the United States concerning its military power, “mak[ing] recommendations to the President” on matters of national security, and “coordinat[ing], without assuming operational authority,” the U.S. response to malign foreign influence operations and campaigns. As both the D.C. Circuit and the Second Circuit have explained, these functions amount to nothing more than advising and assisting the president in the exercise of his own authority—not the exercise of independent authority. In the Second Circuit’s words, “identifying problems, developing best practices, [and] monitoring implementation” are “precisely those expected of an advisory body.” Recommendations are “advice to the person with authority to act on them.” “Coordination” is “the means by which the President can secure both the collective national security recommendations of department heads and their cooperation in integrating his policies across various parts of government.” And the NSC has no mechanism “to compel” action by departments and agencies, absent a presidential directive. 

Like the NSC, the Office of the National Cyber Director’s sole function is to advise and assist the president in exercising his authority. As explained above, the national cyber director advises the president on cybersecurity policy and strategy, coordinates the policy across the executive branch by “monitoring and assessing” its implementation and “mak[ing] recommendations to the heads of agencies, and prepares the federal government’s response playbook for cyberattacks and significant cyber incidents for the president’s approval. He has no operational authority and no mechanism for compelling agency action absent a presidential directive. So the Office of the National Cyber Director is not an “agency” subject to the FOIA. 

The same is probably true even if the president delegates some of his authority to the national cyber director. Under existing precedent, the critical question for agency status is whether the component exercises “substantial authority independently of the President.” The exercise of authority delegated by the president is dependent on, not independent of, the president. Thus, when the Second Circuit faced the argument that the president had delegated authority to the NSC in such a way as to make it an “agency” under the FOIA, the court was “skeptical” that a president could “ever be said to have delegated his own authority in a way that renders it truly independent of him.” With delegated authority, the president “alone decides the extent and conditions of any delegation” and “can revoke a delegation whenever he changes his mind or overrule any exercise with which he disagrees.” A delegation of presidential authority merely makes the recipient “an extension of the President, a vehicle for assisting him in exercising his own authority when he cannot do so in person”—and thus an advise-and-assist component outside of the FOIA’s scope. By contrast, “statutory grants of authority” “flow from a source independent from the President” and “can confer authority beyond the President’s own.”

The national cyber director’s lack of independent legal authority, combined with Senate confirmation, gives the president broad latitude to shape this role and authority within the executive branch. And external access to the office’s inner workings will largely be a matter of executive grace, given the additional separation of powers constraints imposed by the executive branch on congressional oversight and the office’s insulation from public scrutiny under the FOIA. The result is an office whose role in the executive branch and responsiveness to outside scrutiny are broadly within each president’s power to determine.


Devin DeBacker was is the chief of the Foreign Investment Review Section in the National Security Division at the Department of Justice.

Subscribe to Lawfare