A recent Politico article describes plans to eliminate the top White House cybersecurity job and have the responsibilities be absorbed by other personnel. This cybersecurity czar position was originally held by Richard Clarke in the wake of 9/11, an elevation by President Bush that reflected how much cybersecurity had become a national security issue. The current czar, Rob Joyce, officially a Special Assistant to the President and Cybersecurity Coordinator under the National Security Council, announced plans to step down earlier this year. While filling the position will certainly be difficult in the current political environment, the Advanced Cyber Security Center (ACSC) urges the President to shift the Administration’s course and elevate the position to one that directly reports to the President, as it did when Clarke filled the role.
The Cyber Czar Role
The potential elimination of the cybersecurity czar role represents the latest visible example of the administration’s struggle to establish an effective cybersecurity strategy. Within the cybersecurity community, the first clear instance of cybersecurity’s diminishing importance came with the naming of Rudy Giuliani as a top cybersecurity advisor to the President charged with leading a “cyber working group” of experts chartered to develop the administration’s cybersecurity policy. Having little credibility within the cybersecurity community, Giuliani was widely viewed as lacking the industry relationships needed to bring the nation’s best minds to the table. Indeed, subsequent reports suggested that the working group may never have actually formed.
In May of 2017, the President released an Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Though framed as a major policy document, the Order did little beyond requesting that various agencies and other authorities report on the current state of cybersecurity and provide recommendations for enhancing that state. Since its issuance, there are no indications that any of the reporting deadlines have actually been met. The Administration subsequently released its National Security Strategy for the United States in December 2017, a policy document that prominently included cybersecurity concerns as critical for national security. Unfortunately, the strategy followed the theme inherent in the Executive Order by passing off responsibility for the Nation’s cybersecurity defenses, this time to industry, with such statements as, “the U.S. Government will work with the private sector to remediate known bad activities at the network level to improve the security of all customers. Malicious activity must be defeated within a network and not be passed on to its destination whenever possible.” Michael Sulmeyer, the Belfer Center's Cyber Security Project director at the Harvard Kennedy School (an ACSC member), called this “trickle-down cybersecurity,” responding, “we get more bang for our buck if the government and large service-providers can block threats before they reach businesses and operators of important systems.”
Collaboration Is Key
While building stronger cybersecurity defenses is a daunting task that the Administration cannot achieve without broad public and private sector collaboration, deprioritizing the Administration’s leadership position places the Nation at a severe disadvantage on the global stage. Back in 2009, cybersecurity policy expert and early ACSC champion Melissa Hathaway, who led President Obama's 60-day cybersecurity policy review as Assistant to the President for National Security Affairs and whose report helped shape the job description of the cybersecurity coordinator position, discussed the merits of having a strong cybersecurity leader in the White House. “[T]he government is moving out on a number of different areas, but sometimes you need a coach or the team lead to help get everybody continuing to work toward specific goals.”
Responding to reports of the position’s elimination, U.S. Navy Rear Admiral (ret.) and member of the ACSC Board of Directors Michael Brown, stated, “I think the position should be retained – and upgraded as per the Cybersecurity Commission’s recommendations in 2016. Both the George W. Bush and the Obama administrations recognized that cybersecurity is a critical mission and priority for the nation, affecting national security and public safety. And it has been recognized that cybersecurity is a whole of government responsibility, no executive branch department or agency has the authority, expertise or capability to execute the Nation’s cybersecurity responsibilities. For that reason, and the need to be engaged strategically with other nations and the private sector, the nation needs a leader that is focused on cybersecurity and working directly for the President.”
ACSC Executive Director Michael Figueroa agrees. “This is not the time for the Federal government to de-emphasize cybersecurity as a national security imperative. Cyber attacks have leveled the global playing field and the country needs strong leadership to regain our historical advantage.” State-sponsored and criminal syndicate hackers are developing capabilities that can cause as much damage as conventional weapons. Defending against these attacks requires strong coordination to effectively harness the power of collective resources across the public and private sectors. “This position is not only critical for advising the President on how the government should defend itself,” continues Figueroa, “it serves as a critical conduit for organizing industry and coordinating response to community-level threats. Deprioritizing the position by merging it with other roles will only serve to shift more responsibility to state governments and industry to defend against state-level threats, alone.”
Keeping Cyber Defenses Strong
We believe the continuing deterioration of cybersecurity representation at the executive-level reinforces industry movement to act on its own. There is already an inherent distrust amongst the cybersecurity community with regards to government collaboration and cooperation, which reduces the efficiency at which we can leverage the strengths on both sides.
While the private sector’s cyber threat perception and intelligence gathering capabilities far exceed that of the government, the intelligence community’s ability to aggregate and process unstructured information from varying data sources is superior. Reducing the ability for the Administration to build constructive engagement with industry by eliminating key leadership positions will only widen the trust gap, making it more difficult for the Nation to respond to community-level threats when they occur.
The ACSC echoes Adm. Brown’s recommendation that the Administration not only retain the cybersecurity coordinator position, but also elevate it to report directly to the President. Furthermore, we urge the President to charge the position to leverage the Nation’s independent security information sharing groups, including the ACSC, to establish stronger trustworthy communications with the private sector. Doing so will better prepare the Nation to actively defend against advanced cybersecurity threat agents rather than be forced into a position of responding and recovering from inevitable attack.