The remarkable decision to have a single official fill two key White House cybersecurity posts has highlighted both the Trump administration’s commitment to securing federal IT networks as a national security priority and its inability to fill key cyber jobs.
Grant Schneider, the current deputy federal CISO, who has been acting CISO since his boss left mid-January, will also begin doing the job of senior director within the cybersecurity directorate of the National Security Council staff, the White House let slip this week. The federal CISO job is based in the Office and Management and Budget, which, like the NSC, is within the Executive Office of the President.
Several former NSC staffers told CyberScoop the dual-hatting arrangement makes sense in the short term, but they questioned its viability in the long run. The administration made fixing federal government IT systems a priority under the cybersecurity executive order President Trump signed in May. The CISO’s office is operationally responsible for the security of those networks, and so that job will be at the center of the NSC cyber directorate’s agenda at least initially.
“The OMB has a statutory role in federal agency cybersecurity,” said Michael Daniel, a White House cybersecurity coordinator under President Barack Obama. “So having a dual hat makes sense,” especially given the expanded importance of federal IT within the new administration’s strategy.
“There’s a good side and a bad side,” observed another former NSC official who asked for anonymity so as to speak freely. “The good side is, this ties together the technical activities dedicated to civilian agency cybersecurity in the CISO office, with the broader strategic direction the NSC provides.”
There are concerns that over the long term, though, Schneider’s dual portfolio could become unmanageable — and some observers are linking the dual-hatting to the apparent inability of the administration to fill cyber policy jobs in the White House and elsewhere.
“The bad side is, all NSC jobs are very demanding, but perhaps none more so than those senior director positions, because of the number and scope of the issues that you have to manage … That role alone is more than a full-time job,” the former NSC official said.
All agreed that Schneider was uniquely well-qualified, having previously worked in the NSC cybersecurity directorate. Ari Schwartz, who held the NSC senior director’s job under Obama, said Schneider doesn’t face the huge, steep learning curve that newbies have to scale as they learn the ropes in one of the most coveted office complexes on the planet, Schwartz said.
“He already knows all that stuff,” Schwartz said. “That’s why it makes sense. You don’t have that ramp-up period which you would need” if an outsider was appointed either to the NSC job, or to take over from Schneider as federal CISO. “I’m not saying it’s ideal, but there’s a logic there that I understand.”
The former NSC official agreed, saying that dual-hat situations work “when you have enough overlap in mission and role that combining them solves more problems than it creates.”
On the other hand, the former official said, the situation would be especially challenging because Schneider was acting as federal CISO. “If he was only doing the job of deputy CISO, this would be easier to manage, because he could limit how much he engaged on that side. While he’s acting as federal CISO, he will have to engage fully on both ends.”
Daniel pointed out there would be logistical challenges — Schneider would have to maintain two separate email accounts, since the two offices are covered by different records retention laws. “It’s a case-specific deal,” Daniel said.
“It can’t stay that way,” said Schwartz of the arrangement. “In the long term, as [the NSC cyber directorate] moves on to other policy areas [within its portfolio] it’ll be unsustainable.
“There just aren’t enough hours in the day,” he concluded.
Several former officials linked the dual-hatting issue to the problems the administration appears to be having filling cybersecurity policy leadership roles across the government. There are still no nominees for the undersecretary who heads up the Department of Homeland Security’s infrastructure protection operation, known as the National Protection and Programs Directorate or NPPD — or for the deputy undersecretary’s job. Now, insiders say, there may be fresh delays in those nominations because of the absence of a DHS secretary.
In the White House itself, there remain, even after the Schneider appointment, at least three vacancies on the small NSC cybersecurity directorate — and there is no federal CISO and no federal CIO either.
“Clearly the slow pace of bringing people on board is a problem,” said Daniel, “and the longer it goes on, the bigger of a problem it becomes.”