Although the aftershocks of COVID-19 will last for years, one result is already clear — shifting more activity online has increased our society’s digital dependence even faster than expected. The federal government’s cybersecurity capabilities need to keep pace.
Although some Federal agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), have made significant improvements over the last few years, at least three factors impede government-wide progress. First, cybersecurity’s cross-cutting nature does not fit with the U.S. government’s bureaucratic structure. Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity. Third, a lack of central leadership hinders effective incident response. No single policy action will solve these problems, but creating a National Cyber Director along the lines of what the Cyberspace Solarium Commission recommends would be a good start.
Bureaucracies prefer issues that fit neatly into one organization’s mission. Cybersecurity is almost the exact opposite. It is a national security, military, intelligence, economic, public safety, privacy, diplomatic, law enforcement, business continuity, and internal management issue all rolled into one. It touches all federal agencies, with many of them a legitimate role in cybersecurity. Thus, cybersecurity is too broad for any single agency’s remit. Further, a normal bureaucratic response to such a situation, creating a “Department of Cybersecurity,” will not work either; cybersecurity is too integral to too many agency’s missions to centralize those functions in one department.
At the same time, cybersecurity’s different aspects are not independent — they interact with each other, sometimes in unexpected ways. Military cyber operations can disrupt intelligence activities or law enforcement investigations. Treasury sanctions could upset diplomatic negotiations. DHS personnel focus on mitigation, while the Federal Bureau of Investigation and Department of Justice concentrate on prosecution. Network defenders want information from the private sector, but many are worried about regulatory action if they share. Welding these disparate activities into an effective whole requires intense, regular, sustained inter-agency coordination. This coordination does not occur naturally in government: personnel have limited incentives to coordinate activities across departmental and agency lines. That’s not a moral failure or laziness, but the reality of human psychology.
Finally, malicious cyber activity is going to increase over the coming years. Many countries have discovered that cyberspace is an effective medium through which to pursue their national interests. Criminals have discovered that cybercrime pays well with low risk. This malicious activity will become more intense in its effects, and incidents that would have been a minor nuisance a decade ago will now be organizationally catastrophic due to our digital dependence. Adversaries will also find ways to attack us in ways we do not anticipate. Thus, we will face more frequent and more significant incidents. We know from experience in other areas, from natural disasters to pandemic response, that centralized leadership is critical to effective crisis management.
How do we organize across agency lines, sustain interagency coordination, and improve our cyber crisis management? Creating a National Cyber Director could partially address these three problems. I do not arrive at this conclusion lightly. Washington likes to re-arrange the deck chairs when a new problem arises, so I view organizational solutions with skepticism. However, after working on this issue for many years, I have concluded that the nation needs a National Cyber Director (NCD) housed in the Executive Office of the President (EOP).
The EOP is the only part of the executive branch with a sufficiently broad scope to look across all the different aspects of cybersecurity. It is the only part of the executive branch that can overcome the “you’re not the boss of me” effect and incentivize agencies to engage in regular, sustained, and intense coordination. It is the logical place to organize a crisis response because it can serve as a neutral, interagency hub and activate resources across the entire federal government. Finally, given the complex nature of cybersecurity and its importance to our national security, economic security, and foreign policy, the president needs an empowered senior adviser focused on this issue.
However, in creating an NCD, we should be careful about its scope and authorities. While it is hard to create a new position, it is even harder to make a new position effective. The NCD’s office should be big enough to run effective processes, but not so big that it tries to be operational. Such an office should have no role in execution, but it should have insight into operations. It must integrate tightly with and leverage long-standing EOP functions, such as the Office of Management and Budget‘s budget process and National Security Council‘s policy process, otherwise it will be irrelevant. We will have to resolve the relationship of this position to the Federal Chief Information Security Officer. We can’t carve out certain cyber functions, like military or law enforcement activities, exclude those from the NCD’s purview, and expect it to work. Working through the position’s scope, structure, and authorities will take time and thoughtfulness.
Although I held a version of this position during the Obama administration, simply recreating the Cybersecurity Coordinator within the National Security Council is insufficient. That office is built to be internally facing, and it has strict limits on how its staff can interact with the private sector. However, much of the nation’s cybersecurity capabilities and expertise resides in the private sector. Rather than try to create exceptions to allow for significant interaction with the private sector, a better solution would be to create a separate office with its own authorities and processes.
Many federal cybersecurity problems stem from organizational shortcomings. Thus, effective solutions will involve an organizational element. Creating an National Cyber Director won’t suddenly make the federal government a well-oiled cybersecurity machine, but it will put a crucial piece in place. We’ve built the policy foundation to improve our cybersecurity and we’ve made some needed organizational changes, such as establishing CISA and U.S. Cyber Command. Now we need to take the next step and create a position that can bring it all together.
Michael Daniel is the president and CEO of the Cyber Threat Alliance, overseeing the organization’s operations. Prior to joining the CTA in February 2017, Michael served from June 2012 to January 2017 as Special Assistant to President Barack Obama and Cybersecurity Coordinator on the National Security Council. In this role, Michael led the development of national cybersecurity strategy and policy, and ensured that the U.S. government effectively partnered with the private sector, non-governmental organizations, and other nations.