Before being picked to lead DHS, Nielsen waffled on the department's top cyber job

DHS nominee Kirstjen Nielsen at the Annual Meeting of the World Economic Forum at the congress centre in Davos, Switzerland January 24, 2015. (Source: WORLD ECONOMIC FORUM/swiss-image.ch/Photo Valeriano DiDomenico)

Share

Written by

Long before she was unexpectedly tapped to run the Department of Homeland Security, Kirstjen Nielsen was picked to be DHS’ top cyber official. But Nielsen was apparently unable to decide whether to take that job — effectively blocking any appointment to the nation’s top cyberdefense post for months.

“It was her,” said one senior official, “She was what blocked it.”

According to numerous officials who spoke with CyberScoop, Nielsen’s nomination as DHS undersecretary for the National Protection and Programs Directorate should have been part of a flurry of swift decisions early in the year about who was to lead key DHS agencies — including the Federal Emergency Management Agency, U.S. Citizenship and Immigration Services and Customs and Border Protection.

Critics say her waffling left the NPPD, the DHS agency in charge of the federal government’s cyberdefenses, rudderless — casting a pall over the department’s leading role in defending the nation against online aggression from criminals and nation-states alike.

Nielsen, who had been the “sherpa” assisting then-Homeland Security secretary nominee John Kelly through his confirmation process, became the favored candidate for the NPPD post shortly after her January appointment as DHS chief of staff, according to current and former officials.

It was a poorly kept secret in Washington that Nielsen “was on a path to become the NPPD undersecretary,” said Gus Coldebella, who was DHS general counsel in the George W. Bush administration.

A White House official authorized to speak on condition of anonymity confirmed that “she was the person intended for that position.”

But, other officials said, Nielsen seemed unable to decide whether she wanted to surrender her chief of staff post, which kept her in constant contact with Kelly as he ran interference for the White House on the administration’s travel ban.

“Nothing happened,” said the senior official. “There was complete silence.”

The White House official called that “inaccurate,” blaming the delay, in part, on the length of time the FBI was taking to complete background investigations.

“The decision was made to move ahead with her nomination at the end of March,” the White House official said, adding that FBI and Office of Government Ethics vetting was “taking an average of 87 days to complete,” compared with “a previously stated goal of 30-40 days.”

“[The FBI delay] doesn’t hold water as an explanation,” said one former senior official, “She had already been vetted for a senior job at DHS. If she’d wanted it, there would have a been a way to get her into NPPD within days.”

The White House official said the vetting process was “totally different” for a Senate-confirmed position.

Then, following a dramatic series of missteps by President Donald Trump, Kelly was appointed White House chief of staff at the end of July. He brought Nielsen with him as one of three deputies. At DHS, officials thought they had seen the last of her.

“When she went to the White House, everyone thought she was going to withdraw” from contention for the NPPD job, said the senior official. The White House official confirmed to CyberScoop that “a decision was made” not to move forward with her nomination, owing to “the change in circumstances” of her new position. “It happened at approximately the same time,” as her vetting was completed, the White House official added.

The White House official said another candidate for the job was currently undergoing vetting.

The NPPD undersecretary is, by law and policy, the official in charge of the federal response to major cyber-incidents like WannaCry or NotPetya — both of which happened while the post was vacant. Critics say that underlines the department’s irrelevance, but even DHS’ defenders acknowledge that, without Senate-confirmed leadership, the directorate is treading water, not making progress.

“The threat is evolving … marking time is falling behind,” said Greg Touhill, former federal CISO and deputy assistant secretary at DHS where he served as director of the National Cybersecurity and Communications Integration Center, the NPPD’s 24-hour cyber watch center.

The lengthy vacancy has even raised questions in some quarters about the long-term future of DHS’s role in combatting the cyberthreat to both government networks and the nation as a whole.

“NPPD needs senate-confirmed leadership,” said Kiersten Todt, a resident scholar at the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security, who last year was executive director of President Barack Obama’s Commission on Enhancing National Cybersecurity.

She said the department’s vision for protecting critical infrastructure was based on an “industrial age” understanding. The plan to make NPPD a cyber-protection operational agency along the lines of FEMA or TSA — a top priority for House Homeland Security Committee Chairman Michael McCaul — was conceived of more than three years ago, she noted.

“The [cyber] threat was dramatically different then,” she said. “We need to examine how we define critical infrastructure and we now need to be thinking about how we protect critical information … whatever the structure, DHS has to be agile and adaptive so that it can evolve with the threat.”

Although the DHS press office referred requests to the White House, DHS officials and their defenders outside the department say that career staff and two presidentially appointed assistant secretaries have kept the directorate running smoothly and responded fast and decisively to outbreaks like WannaCry.

NPPD Assistant Secretary Christopher Krebs, a political appointee who is acting undersecretary, and his colleague, Assistant Secretary Jeanette Manfra, a career official appointed to a political job by Trump, are both well-respected figures who’ve engendered a great deal of loyalty among NPPD staff, according to insiders.

But one former official who was acting in the NPPD undersecretary role for almost a year is unequivocal that Senate confirmation matters.

“I think it’s a problem,” said Suzanne Spaulding, who was eventually confirmed in March 2014. She praised the “very competent team” in place at the directorate, but said the absence of senate-confirmed leadership at NPPD was compounded by the vacancy in the secretary’s position.

“Even though I had been the deputy (undersecretary) for almost two years, it wasn’t until I was confirmed that I could move out and put my own mark on the place,” she said. “The challenge is, it makes it harder to make significant changes.”

Even after she was confirmed, Spaulding said she “got a lot of pushback” when pushing a reform agenda at the directorate. “It was a heavy lift,” she said, “The backing of the secretary was important.”

Without a secretary in place, she said, “you don’t know if you have the political top cover.”

-In this Story-

cybersecurity, DHS, Kirstjen Nielsen, NPPD
Continue to CyberScoop.com