Congress Cybersecurity & Tech

The NDAA’s National Cyber Director: Justifications, Authorities and Lingering Questions

Robert Chesney
Monday, December 7, 2020, 4:16 PM

We may soon have a national cyber director. What problems is this office meant to address, what authorities will it have and what questions will remain?

The U.S. Capitol Building. (Phil Horton, https://flic.kr/p/o3pr5t; CC BY 2.0, https://creativecommons.org/licenses/by/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

The Cyber Solarium Commission produced an array of thoughtful recommendations in its March 2020 report. One of the most notable called for the creation of a new federal government entity focused on cybersecurity: a national cyber director (NCD) (as well as a corresponding Office of the National Cyber Director).

That vision is close to reality now, though the endgame remains uncertain. Section 1752 of the National Defense Authorization Act for Fiscal Year 2021 (NDAA), which is likely to pass both houses of Congress by overwhelming margins shortly, would establish the NCD (and the associated office). The NDAA bill is now on the president’s desk, and given that the NDAA has become law for 59 straight years, that would seem to be the end of the story. But this is President Trump we are talking about, and in this case, he is threatening a veto because congressional leaders declined to airdrop into the final bill a blunderbuss repeal of Section 230 of the Communications Decency Act.

Perhaps in the end, Trump will relent and sign the bill after all. Perhaps he won’t, and Congress will override his veto (that’s my prediction). Perhaps the whole process will have to begin anew in January. Whichever the path, though, it seems likely that Section 1752 will become law sooner or later, and then a nomination will be made, a confirmation will take place, and America’s first NCD will get to work.

What will that person be doing, exactly? Read on for an overview of the problems that the Cyber Solarium Commission cited as the justifications for creating such an office, a review of the authorities Congress provides to the NCD in Section 1752 and a summary of the lingering questions.

1. What are the problems that warrant creation of the national cyber director position?

The Cyber Solarium Commission identified an array of problems that creation of an NCD might address. I’ve distilled them into the following four areas of concern:

The National Cyber Strategy

The federal government has produced national cyber strategy documents in the past (see the current National Cyber Strategy from 2018, and note too the 2016 Cybersecurity National Action Plan, the 2009 Cyberspace Policy Review and the 2008 Comprehensive National Cybersecurity Initiative). The commission observed that the process for producing and updating such a strategy is not well institutionalized, however; no particular official or office has lead responsibility for performing this function on a recurring basis.

The commission also observed that we lack a process for monitoring whether the policies and budgets of relevant federal agencies align with the current National Cyber Strategy. Thus, if federal agencies work at cross-purposes or fail to make needed budget commitments, it is not obvious who in the federal government has ultimate responsibility for spotting such problems and wrangling recalcitrant entities back into line. The Trump administration exacerbated this problem in 2018 when it eliminated a White House staff position that came closest to fulfilling that role. More on that in the very next point.

Presidential Advising

The commission also emphasized the desirability of having a clearly identified adviser to the president dedicated to cybersecurity matters (as well as to related issues at the intersection of technology and national security, such as 5G or internet governance). Of course, there had been such an adviser at one point, in the form of the special assistant to the president position known as the cybersecurity coordinator. In 2018, however, National Security Adviser John Bolton eliminated that position. Bolton asserted at the time that there was no need for such a dedicated position because responsibility for the topic was diffused throughout the NSC apparatus. This sparked criticism, to put it mildly.

Interagency Coordination

The demise of the cybersecurity coordinator position in 2018 also took away the most natural official to manage interagency coordination as to both cybersecurity policy formation and, especially, incident response. Even when the cybersecurity coordinator position was in place, however, some argued that the position lacked the stature, statutory authority and staff support to carry out those functions as effectively as one might wish.

Speaking at Home and Abroad With a Single Voice

The commission also noted the desirability of having a single officer empowered to serve as the nation’s authoritative voice (apart from the president, of course) in communications with external audiences (both domestic and foreign) regarding the collective position of the executive branch on cybersecurity topics.

2. Which authorities would NDAA Section 1752 confer on the NCD?

The version of the NCD envisioned by Section 1752 addresses each of the areas emphasized by the commission but in some key respects is less ambitious than what the commission had in mind.

Stature

One area in which Section 1752 certainly makes good on the commission’s vision has to do with the stature of the office. In contrast to the old cybersecurity coordinator position, the NCD would be a Senate-confirmed official (nominated by the president, of course, and subject to removal at the president’s discretion). And the NCD would, by statute, become a principal of the National Security Council. The NCD’s pay scale would be set with reference to Level II of the Executive Schedule (comparable to officials such as the CIA director and various departmental secretaries). The Office of the NCD, moreover, would be authorized to have a staff of up to 75 persons and would be situated within the Executive Office of the President. In short, the NCD and the Office of the NCD would resemble the structure of the Office of the United States Trade Representative, albeit with a smaller scale.

Presidential Advising

Turning to the authorities conferred on the NCD, Section 1752 starts in a complex vein. It makes the NCD “the principal advisor to the President on cybersecurity strategy and policy,” but with strings attached. Instead of leaving it in those general terms, the provision describes this as a role specifically “relating to the coordination of” certain cybersecurity topics (emphasis added).

Which topics? Some are exactly what you would expect, such as “information security and data privacy.” Others are a bit more interesting, though, because they directly implicate the equities of other agencies. For example, the list includes “efforts to understand” malicious cyber activity and to “deter” such activity, as well as “diplomatic and other efforts to develop norms and international consensus around responsible state behavior in cyberspace.” These are core concerns of the National Security Agency, the CIA, U.S. Cyber Command and the State Department; hence, the decision to identify the NCD as the president’s principal adviser on those topics would be a recipe for turf wars (ones the NCD would be poorly positioned to win) if not for the qualifying language I highlighted above, accentuating that the NCD’s particular function is to advise the president regarding coordination, not to act as the principal adviser about those realms of activity as such.

Formation of National Strategy and Policy

Section 1752 falls short of the commission’s vision for an NCD with lead authority over the process of updating the National Cyber Strategy and forming national policy positions relating to cybersecurity. Under Section 1752(c)(1)(B), the NCD’s role is limited to the ability to “offer advice and consultation” to, well, everyone in the federal government with equities relating to cybersecurity. The language doesn’t require anyone else to listen to that advice, let alone to follow it. Nor does it describe the NCD as the statutorily required instigator of, or shepherd for, such processes. Which is not to say that the NCD will not have significant influence in such matters; it’s just that such influence will have to be earned through persuasion, rather than demanded as-of-right.

Implementation of National Strategy and Policy

The commission’s hopes for a strong NCD fare somewhat better when it comes to a separate function relating to national strategy and policies: conducting centralized oversight to ensure that agencies operate in alignment with those strategies and policies once they are in place. In fact, the opening lines of Section 1752(c)(1)(C) seem rather strong on this point, describing the NCD as lead agency for “coordination of implementation” of national strategies and policies. But, once again, the devil is in the details. That same subsection goes on to specify exactly what the NCD’s leadership role entails, and it arguably isn’t much.

Four of the particular authorities listed here boil down to this: The NCD can observe and advise, but cannot force other agencies to change their policy, resource and personnel practices. More specifically, these four authorities provide that the NCD may:

  • Monitor the effectiveness of implementation efforts (including their “cost-effectiveness”).
  • Give advice to agency/department heads regarding personnel, budget, organization, etc.
  • Review agency budgets for consistency with national policies/strategies and give advice to the agency heads on where they may be falling short.
  • Assess the “integration and interoperability” of various Federal cyber centers advise the President on needed changes.

At this point, it is worth noting that Section 1752 does deal something of a wild card to the NCD. Subsection 1752(e)(3) rather casually mentions that the NCD shall have power to “promulgate such rules and regulations as may be necessary to carry out the functions, powers, and duties vested in the Director.” A bold NCD might seek to leverage this power to articulate and entrench broad interpretations of the aforementioned authorities.

Pruning Federal Policies, Guidelines and Regulations

Section 1752(c)(1)(C)(v) directs the NCD to “coordinate” with the attorney general, the federal chief information officer, the director of the Office of Management and Budget, the director of national intelligence, and the director of the Cybersecurity & Infrastructure Agency (CISA) in order to “streamlin[e] … Federal policies and guidelines” and “regulations relating to cybersecurity.” The bill does not specify the precise purpose of such “streamlining” efforts, but it does refer in part to existing federal law concerning the information security practices of federal agencies. For most government agencies, CISA already performs the role of key overseer of their information security practices. Agencies operating “national security systems” are separate from that authority, however. Hence, one possible justification for assigning a coordinating role to the NCD in this area is to ensure there is an official empowered to think about all government systems in the round, as it were. At any rate, the key thing is to appreciate that this is just a coordination role, not one that empowers the NCD to compel agencies to take particular actions.

Interagency Coordination for Incident Response: Developing Plans, Executing Plans

The commission’s vision for the NCD fares well when it comes to interagency coordination for incident response. The idea of an integrated response, to be clear, is not the novelty here (see the “Cyber Unified Coordination Group” system adopted in PPD-41 in 2016). The novelty, rather, is in the allocation of such authority to a statutorily empowered office and then the spelling out of various specific steps that the office must carry out as part of that mission. Section 1752(c)(1)(D) accomplishes this by directing the NCD to:

  • Establish (in coordination with relevant agencies) “operational plans, processes, and playbooks” governing incident response (including, intriguingly, a specific directive to ensure that “defensive” plans and capabilities are integrated with “offensive” plans and capabilities—which sounds to me like a requirement to ensure that plans account for U.S. Cyber Command’s potential role).
  • Ensure that those plans are “exercised[.]”
  • Ensure all of it is updated as needed.
  • Ensure that the plans involve proper coordination with the private sector.

What about implementation of those plans? The same section describes the NCD as having responsibility for “ensuring implementation” of them, but it does not elaborate on the point. On the other hand, the very next subsection (1752(c)(1)(E)) appears to address the topic in a way that puts the NCD in a potentially powerful position.

Specifically, Section 1752(c)(1)(E) provides for the NCD to lead in “preparing the response by the Federal Government” to qualifying cyber incidents, and it further states that the NCD should develop (in coordination with the national security adviser and heads of relevant agencies) “operational priorities, requirements, and plans” (emphasis added by me). Further, Subsection (E) specifies that the NCD must ensure agencies execute those plans properly.

No doubt there will be frictions in practice as future NCDs test the boundaries of this role in the context of particular cases.

Which cyber incidents rise to the level that trigger such an NCD-led interagency response?

This part of Section 1752 is especially intriguing.

The status quo, under PPD-41, uses the label “significant cyber incidents” to describe the subset of cyber incidents that warrant formal interagency coordination (in contrast to run-of-the-mill incidents as to which one or more federal entities might have a role, but for which a coordinated interagency response is not necessary). And PPD-41 explains that incidents qualify for that label when they are “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” That is a sensible, but indeterminate, definition.

NDAA Section 1752 makes changes. First, it replaces “significant cyber incidents” with a nearly identical—but longer—label (that is, “cyber attack or cyber campaign of significant consequence”). Second, and more important, it defines that category more broadly (though still quite loosely). According to 1752(g)(2), an incident(s) qualifies if its “purpose or effects” is to:

(A) Significantly disrupt the confidentiality, integrity, or availability of any federal information system.

(B) Harm or otherwise significantly compromise the functioning of any computer supporting any entity that is part of a critical infrastructure sector (notice that this is not limited to the “Section 9 entities” subcategory but rather reaches the full spectrum of critical infrastructure entities, and that it does not matter whether the computer in question is important to the entity).

(C) Otherwise significantly compromise the ability of a critical infrastructure entity to provide services.

(D) Steal “significant” funds or economic resources, trade secrets, personal identifiers, or financial information, when done for private financial gain or for commercial/competitive advantage.

(E) Otherwise constitute a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

There’s a lot going on there, and plainly much of that is of indeterminate scope. That said, it seems to me much broader than the “significant cyber incident” category under PPD-41. It covers any hack of a federal computer, it covers a potentially vast number of run-of-the-mill identity theft and economically motivated crime situations, and it covers interference with computers belonging to critical infrastructure entities where the computer might not be very important (and where, for that matter, the entity itself might not be that important; remember, this is not limited to Section 9 entities). None of which is necessarily a bad thing, mind you; it is better to be overinclusive than underinclusive in this space.

Annual Reports and Other Communication/Representation Functions

Apart from a final, general charge to perform such other functions as the president may direct, the only other significant duty conferred on the NCD is to report annually to Congress on the cybersecurity threat environment and related matters, and to report to the president, the national security adviser and Congress regarding the state of U.S. cybersecurity.

3. What issues and questions remain?

The NDAA’s version of the NCD is not all that the commission had in mind. But it will do much good and should be enacted.

The demise of the cybersecurity coordinator position in 2018 demonstrated that the president cannot always be trusted to perceive the importance of this topic (well, that might not have been the only clue, but it underscored the point in a particularly relevant way). Even when that position existed, however, it did not have the institutional clout, statutory authorities and staff support that the NCD would have. Passage of Section 1752 would address all of that to a very helpful degree, and with authorities that go some way toward addressing the problem areas the commission perceived.

True, Section 1752 does not do everything the commission hoped it would. As noted above, the NCD would not own the National Cyber Strategy process (and other national policy and strategy processes) to the same degree the commission envisioned. And note, too, that despite language in 1752(c)(2)(A) confirming that the NCD may be included in preparing for and participating in “domestic and international summits and other international meetings at which cybersecurity is a major topic,” the legislation would not make the NCD the executive branch’s default voice, or an independent voice, in such matters (indeed, a separate section specifies that any such participation by the NCD “shall” be “in coordination with the Secretary of State”). But it’s more than half a loaf, and much better than no loaf.

One point of sensitivity that I have not mentioned yet is whether the various directives to the NCD to serve as a point of contact coordinating with the private sector (including especially, it would seem, critical infrastructure entities) raises an important question about deconfliction with the role of the director of CISA. Building relations with the private sector, and especially the owners/operators of critical infrastructure entities, is a central purpose for CISA and a key part of the director’s job. It is not hard to imagine how an NCD might encroach significantly on that territory if great care is not taken in developing a modus vivendi between these offices.

A final note, picking up a point I made above: It will be especially interesting to see what an NCD will be able to make of the aforementioned authority to act as the president’s principal adviser on the coordination of “efforts to understand and deter malicious cyber activity.” Such efforts entail some of the nation’s most sensitive intelligence collection capabilities as well as the increasingly important category of operations undertaken by U.S. Cyber Command under its “defend forward” concept. If the NCD and the CYBERCOM commander have a strong relationship, I suppose this might work.

To the future NCD team: Good luck!


Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare