Reexamining the Solarium Commission’s Proposal for a National Cyber Director
The recent Cyberspace Solarium Commission Report recommended establishing a national cyber director and accompanying office. But if enacted as described, the proposal will set up this important office to fail.
Published by The Lawfare Institute
in Cooperation With
The most critical challenges our nation faces cannot be solved by one agency alone. Responsibility for cybersecurity, like pandemic response, requires many different agencies to work together in concert. The complex challenge of cybersecurity requires strategic leadership at the top. This is why the Obama administration had a White House cybersecurity coordinator: to force agencies to work together, to cut through bureaucratic red tape and to realign resources. Unfortunately, the Trump administration left that position vacant after the departure of Rob Joyce in May 2018.
Restoring that senior-level coordinator position would go a long way toward coordinating the security of the internet—which we now rely on more than ever to manage our lives and connect with others while sheltering in place. So we were pleased to see that the Cyberspace Solarium Commission’s recent report recommended establishing an elevated national cyber director and accompanying office at the White House.
But good ideas can turn into bad ones if they are not structured properly. The devil is in the details. And unfortunately, the proposal as recommended by the commission is a pastiche of responsibilities, authorities, structures and resources, which will set up this important office to fail, if enacted as described.
The commission’s role is done, though, and the ball is now in Congress’s court. While Congress works to pass legislation to make the position of national cyber director a reality, members should take a hard look at the lessons of the past—because we’ve seen this movie before: A national security crisis, followed by the sense that existing structures have failed us, leads Congress to demonstrate how seriously it’s taking the issue by creating new organizations out of the building blocks of existing organizations. We saw it with the creation of the Department of Homeland Security in 2002 with the Homeland Security Act and the creation of the director of national intelligence in 2005 with the Intelligence Reform and Terrorism Prevention Act. Both organizations, created after 9/11, were designed around the idea that terrorism was the critical threat the nation faced. Both became a wish list of things that the congressional drafters hoped each organization would accomplish, thrown together without a clear objective for the entity.
Congress now has a choice. Either resolve the conflicting directives that this position could bring or pass messy legislation like the Homeland Security Act and the Intelligence Reform and Terrorism Prevention Act and leave it to the executive branch to figure it out.
The responsibilities and structure proposed by the commission are ambitious—the national cyber director would serve as the president’s principal adviser on cybersecurity and emerging technologies, coordinate national-level cyber strategy and policy, serve as the chief representative and spokesperson for the United States on cybersecurity issues, and provide budgetary review of designated agency cybersecurity budgets, among other responsibilities. The proposed office would be located within the Executive Office of the President (EOP), and its inhabitant would be subject to Senate confirmation and would manage a staff of 50 people.
But, if Congress wants the national cyber director to succeed, it should look to similar EOP positions to decide if it is comfortable with the combination of these responsibilities and structure, as described by the commission. Currently, the EOP contains seven offices that are all structured differently and hold different roles and responsibilities. The three EOP offices that share similar roles and responsibilities with those of the proposed Office of the National Cyber Director (ONCD) are the Office of National Drug Control Policy (ONDCP), the Office of Science and Technology Policy (OSTP) and the Office of the U.S. Trade Representative (USTR). The national cyber director would serve as the president’s principal adviser on cybersecurity, which is similar to the role that the U.S. trade representative fills for trade, the director of national intelligence fills for intelligence, the drug czar fills for drugs, and the head of the OSTP often fills for science. The U.S. trade representative also serves as the nation’s chief representative and spokesperson on trade issues, while the latter role is optional for the drug czar. The national cyber director is also analogous to the director of national intelligence, and although the Office of the Director of National Intelligence (ODNI) is not an office within the EOP, it is similarly designed to address a cross-cutting issue.
|
ONCD |
ONDCP |
OSTP |
USTR |
OMB |
ODNI |
Principal adviser to the president |
x |
|
|
x |
|
x |
Federal government coordinator |
x |
x |
|
|
x |
x |
Budget review of key agencies |
x |
x* |
x* |
|
x± |
x* |
Spokesperson on relevant policy |
x |
x+ |
|
x |
|
|
Chief representative on relevant policy |
x |
|
|
x |
|
|
Staff |
50 (proposed) |
76 |
33 |
232 |
495 |
1,500 |
* The processes for these offices do not include the added responsibility for the national cyber director of needing to concur with significant changes made by the Office of Management and Budget (OMB). ± OMB conducts budget review of all agencies as part of one of its primary responsibilities. + The drug czar may serve as the spokesperson but is not required to do so. |
While the office proposed by the Cyber Solarium Commission shares characteristics with some of these offices, it diverges in ways that are fundamental and at odds with its size and placement.
While the ONDCP, OSTR, ODNI and most prominently the Office of Management and Budget (OMB) have the responsibility for budgetary review, the commission’s proposal adds another layer of bureaucracy. First, the national cyber director would review and approve all cybersecurity budgets of each federal agency before sending them to OMB. OMB currently performs this function; therefore, the commission’s proposal would add an additional layer of budgetary review and approval to an already complicated and technical area of agencies’ budgets. However, this is not vastly different from the ONDCP creating a drug policy budget or ODNI compiling budgets for the intelligence community. Where the proposal differs is that the national cyber director would need to concur with any “significant changes” made to agency budgets by OMB. It is unclear what this means—does the national cyber director have veto power over OMB, or would these conflicts be taken to the president to resolve, or something else entirely? Either way, this would add a process that was not spelled out for the director of national intelligence over other agencies’ intelligence programs. When crafting legislation to create this position, members of Congress should decide if they approve of these responsibilities.
Second, unlike the USTR, whose mission does not overlap with any existing federal agency, the proposed Office of the National Cyber Director’s remit is a core part of every existing government function. With cybersecurity, like intelligence, each agency must be concerned with it as an issue in order to accomplish its main functions. Cybersecurity does not exist as an end in itself, but as something that must be considered in keeping the agencies and the nation’s essential work going. Like the director of national intelligence, a cabinet official outside the EOP, the national cyber director would serve as the principal adviser to the president for his or her issues and would also perform a coordinating policy function. While there was previously a cyber coordinator position in the White House, the national cyber director differs because the position would be accompanied by an office, therefore increasing its presence in the EOP. Congressional drafters need to determine whether they want a cross-cutting position like this within the EOP or if they think the ODNI model, outside the White House, would be a better fit.
The third issue that drafters need to contend with is size. The Cyber Solarium Commission recommended that the Office of the National Cyber Director maintain a staff of 50 within its office but also said that it should be positioned similarly to the Office of the U.S. Trade Representative, which has a staff of more than 200. The Office of the Director of National Intelligence, which also has a cross-cutting mission, maintains a staff of 1,500. Even the Office of National Drug Control Policy, whose responsibilities most closely align with those of the Office of the National Cyber Director, has a staff of 76. While the idea of placing an additional 1,500 positions inside the EOP seems absurd, Congress needs to think seriously about whether 50 people will be able to fulfill the vast responsibilities allocated to the Office of the National Cyber Director.
Another issue Congress needs to wrestle with is the relationship between the national cyber director and other members of the federal government. In analogizing the national cyber director to the U.S. trade representative, the commission brought into question the national cyber director’s potential responsibility to Congress. It is also necessary to resolve what serving as the United States’s “chief representative” on cyber issues means when the commission also advocates for the creation of a Cyber Bureau within the Department of State. Furthermore, the commission report has raised significant confusion by not addressing a key relationship: that between the national cyber director and the head of the Cybersecurity and Infrastructure Security Agency (CISA). One potential model is to have the national cyber director coordinate offensive and defensive activities, while the CISA director focuses on defense. In a recent Senate Homeland Security and Governmental Affairs Committee hearing, commissioners offered two different views of this relationship: synergistic and directive. Without a resolution to these questions, there is a risk of a bureaucratic struggle among agencies, departments, and the national cyber director and potential confusion regarding authorities across the federal government.
Finally, as proposed, the national cyber director would be subject to Senate confirmation, much like the U.S. trade representative or the directors of the ONDCP and the OSTP. Senate confirmation provides a level of congressional oversight over EOP offices and their budgets, which are typically beyond congressional oversight, and shielded by executive privilege, but also means the director may be less likely to have the ear of the president and the trust of others in the White House. It creates an awkward dynamic where the Senate-confirmed national cyber director participates in a structure led by a non-Senate-confirmed official, the national security adviser. It is understandable that, given the current administration’s lack of cooperation with oversight requests by Congress, the legislative branch would seek to impose more accountability on the office, but doing so could also offer challenges.
Unfortunately, we have learned that if a president does not believe a position is important, there is no way to force the nomination or staffing of the office and there is no legislative proposal that would force a recalcitrant president to install or utilize an effective, functional director. As with any political appointee, Senate confirmed or otherwise, the national cyber director would serve at the pleasure of the president. Another model that can be considered is that of the national security adviser, who is not Senate confirmed but holds a powerful position within the executive branch and who lacks the oversight provided by Senate confirmation. Drafters need to weigh these arguments when deciding whether to make the national cyber director a Senate-confirmed position.
There is absolutely a need for a leadership position within the executive branch to coordinate on cybersecurity, especially as Americans are increasingly relying on the internet during the coronavirus pandemic. But Congress must resolve these conflicts as it drafts legislation that creates this position. This position must work. We cannot have a Frankenstein’s monster of organizational design. The stakes are too high for that.