When President Joe Biden took office last week, he and his administration were immediately tasked with managing one of the largest cybersecurity failures in recent memory—a stealthy and methodical supply-chain intrusion into private companies and government agencies that has been blamed on Russia.
Much of the work overseeing the response efforts will fall on a position that is not even a month old: the National Cyber Director. The first days of the Biden administration will be a make-or-break moment for the new White House posting, which is charged with overseeing and coordinating national cybersecurity policy, cybersecurity researchers said at multiple events Tuesday.
The National Cyber Director has the potential to “greatly improve” national cybersecurity by imposing discipline on a sprawling federal cyber bureaucracy, former senior officials from CISA, the FBI and the Department of Justice said Tuesday afternoon at a digital panel hosted by Harvard University’s Belfer Center for Science and International Affairs.
“We have this time in the first two-to-four years of the Biden administration that will set the precedent for how important and how powerful this office is,” said Tatyana Bolton, a former senior official at the Cybersecurity and Infrastructure Security Agency who currently serves as policy director for cybersecurity and emerging threats at the R Street Institute. “It’s really important that the president himself imbues this office with the power that it needs to do its job. You want the leadership to signal to other agencies that this really is the end-all-be-all for cyber.”
Mandated by Congress in the annual defense spending bill for 2021, the Office of the National Cyber Director and its head, the National Cyber Director, would serve as the “principal advisor” to the president on issues relating to cybersecurity and emerging technology. The National Cyber Director will work out of the White House and be supported by an office of 75 staffers. Like the U.S. Trade Representative, the position requires the consent of the Senate.
Though there is wide agreement on the need for a more robust mechanism for coordinating national cyber policy, the role of the National Cyber Director remains ill-defined and lacks robust operational and budgetary authorities, ex-officials said.
It also remains to be seen how the position will share responsibilities with other senior cybersecurity leaders at CISA, the National Security Council, and other agencies. “All of these people are going to have responsibilities for coordinating aspects of cybersecurity,” said Robert Mayer, cybersecurity and innovation senior vice president at USTelecom, at the State of the Net Conference hosted Tuesday by the nonprofit Internet Education Foundation. “How they work together, how they coordinate, how they establish priorities, and how they communicate to industry is going to be very, very important. And we don’t have that insight yet.”
That is why the effectiveness of the new office hinges on people and precedent: who the Biden administration chooses to lead the office, how that individual interacts with other members of the federal bureaucracy, and whether the National Cyber Director is able to win the trust and support of the president.
The idea for the National Cyber Coordinator emerged from the congressionally chartered Cyberspace Solarium Commission, which was initiated in 2019 to conduct a full-scale review of national cybersecurity policy.
In addition to advising the president, the National Cyber Director will prepare and lead federal incident response plans, coordinate and advise on the implementation of national cyber policy, and serve as a central point of contact with the private sector.
Though the Solarium Commission report recommended that Congress invest the National Cyber Director with greater authority than it ultimately did, Congress granted the office a potential “wildcard” by empowering it to promulgate rules and regulations for other federal agencies, said Kiran Raj, former Deputy General Counsel at DHS, at the Belfer Center panel.
“I think that’s why the first person who has this job is in a really interesting position,” said Raj, who recently co-authored a report about how the new administration should shepherd the new office into maturity. “You can imagine a world where they take a pretty strong view of the powers of the director and could actually use rule-making processes to make it even more robust.”
Though the Biden administration has not formally selected a nominee for National Cyber Director, the lead candidate for the role is rumored to be Jen Easterly, the current Head of Resilience at Morgan Stanley. A graduate of West Point and a Rhodes Scholar, Easterly has extensive experience in the private sector, the military, and in national security policymaking, having served in leadership roles in the NSA and at the NSC.
Congress made the National Cyber Director a discretionary, not a statuary, member of the National Security Council, meaning it will fall to the president to decide how involved the Director will be in key aspects of cyber policymaking.
Though that might diminish the Director’s influence inside the government, it allows the office to be more vocal outside it, said Sasha O’Connell, a former senior official at the FBI and co-author of the report on how to fast-track the National Cyber Director during the first 100 days of the new administration.
“This NCD creates a whole outward facing platform on cyber-strategy on behalf of the White House for the private sector and the international community,” said O’Connell at the Belfer Center event.
Reading between the lines of the Congressional mandate, panelists speculated that the National Cyber Director would be responsible for defensive cyber operations, whereas the NSC would have authority over offensive cyber operations.
But to be effective, the National Cyber Director will need to have some visibility into both offensive and defensive cyber operations, said Bolton, the former CISA-official, even though that prerogative has not been mandated by Congress.
“Until you have someone who is able to look in both buckets and see what’s happening, and set a strategic vision for cybersecurity that incorporates defensive and offensive tools and does not view them as separate entities, you cannot have true cybersecurity,” said Bolton.