Decision to consolidate cyber roles in NSC creates broader uncertainty across federal initiatives

Last week’s abundance of cybersecurity news makes it hard to know where to start.

We could begin by looking back over the last year at the accomplishments of the Trump administration, since May 11 was the one-year anniversary of the cybersecurity executive order.

The Office of Management and Budget released the first-ever cyber risk management report as part of fulfilling one of the more than 50 deliverables under the 2017 order. A teaser: Next week’s notebook will have more on that report.

Or, we could dig deeper into two new cyber strategies from the Homeland Security and Energy departments.

Advertisement

And then we have the news around the White House cyber coordinator position and National Security Adviser John Bolton’s decision to eliminate the specific role and add its responsibilities to existing positions. Rob Joyce left the role to return to the National Security Agency.

But all of this cyber activity over the last week really leads us to take the temperature of the administration’s initiatives over the past year.

Authority, accountability and resources

Most experts were more than happy to focus on the White House cyber coordinator role as part of the initial checkup. And despite a range of serious concerns to limited hopefulness, experts said agencies are more secure and better prepared to deal with cyber incidents and threats than ever before.

“The thing that stands out is the fact that there hasn’t been a lot of news around cybersecurity over the last year. In the sense that the policies and things that this administration has pursued really go back to the Bush administration, so there is a strong line of continuation across the Bush, Obama and now Trump administrations,” said Michael Daniel, former White House cybersecurity coordinator and now president and CEO of the Cyber Threat Alliance. “How they are thinking about federal network security and continuing to work away at expanding things like the continuous diagnostics and mitigation (CDM) program,  and moving to much more of a shared services model and to cloud services — all of those things are continuing to move forward. At the same time, you continue to see how much of a real struggle it is to make progress in those areas if you don’t have clear pressure from the top.”

And it is that pressure from the top that is now short two of the three top roles: the White House role, the federal chief information officer and federal chief information security officer.

Frank Cilluffo, the director of the Center for Cyber and Homeland Security at the George Washington University, said any major government initiative needs to meet three criteria to be successful: Authority, accountability and resources.

With the decision to move the White House cyber role and the lack of a permanent federal CISO, either a lot will ride on Suzette Kent, the federal CIO, and her cyber staff at the Office of Management and Budget or the leaders at the National Security Council will have to make their plans public.

“When looking at EO, I’m not sure who is now holding all the agencies to account given that was largely [former White House Homeland Security Adviser] Tom Bossert and Joyce’s roles in the past,” Cilluffo said. “With any strategy, it’s fair to say we have to be in the position to translate nouns into verbs. I was a big proponent of many of the EO’s issues, but it’s hard part to implement and execute strategy.”

Unified cybersecurity approach advocated

Cilluffo, like many experts, is not in favor of the National Security Council eliminating the cyber coordinator position.

A common refrain from Daniel, Cilluffo and others was eliminating the named positions distracts from the unity of effort that is needed to address cyber threats and incidents.

Kate Charlet, a former acting deputy assistant secretary of defense for cyber policy in the Defense Department and now program director of Technology and International Affairs at the Carnegie Endowment for International Peace, said unlike other issues where maybe only a handful of agencies are involved, the old adage that cyber needs a whole of government approach is never more true.

“With cyber, you have DHS, Justice, Commerce, Energy, State, the NSC and so many others which all care about cyber policy issues. There is so much interagency wrangling that goes on, it takes a huge amount of bandwidth so having that extra authority that came with the cyber coordinator position was needed to deal with all the actors involved,” Charlet said. “There will be other areas impacted more than federal cybersecurity because you still have [acting federal CISO and White House Senior Director] Grant Schneider, who I expect to continue to be responsible for federal cybersecurity.”

Daniel added the lack of a cyber coordinator means the federal CISO becomes more important to further drive progress on federal network security.

“You have to have somebody focused on that as their day job,” he said.

Daniel said he and others recognize the president and the NSC director have the right to rearrange the council as they see fit.

“From an operational perspective, a lot depends on what they now decide to do. Are they going to make both positions a special assistant to the president and senior directors? That approach has implications on how those positions interact with other agencies,” he said. “Are they splitting the director into two positions, and who will have responsibility for what? A huge part of the role is herding the cats by spending time to get agencies into alignment. The NSC is special in that you can’t order them to do something. They are not directive positions. Your job is to bring people together, reach consensus, persuade and use the convening power of NSC to achieve your goals. It does take time to do all that.”

Robert Palladino, the NSC’s spokesman, said the council’s cyber office has two capable senior directors who will coordinate cyber matters and policy.

“As they sit 6 feet apart from one another, they will be able to coordinate in real time,” he said in a statement. “[Thursday’s] actions continue an effort to empower National Security Council senior directors. Streamlining management will improve efficiency, reduce bureaucracy and increase accountability.”

Permanent CISO uncertain

The consolidation of the cyber coordinator role also casts more uncertainly about whether the administration will name a permanent federal CISO.

Trevor Rudolph, a former chief of OMB’s cyber and national security team and now a cybersecurity policy fellow at New America, a think tank, said the decision to remove the White House coordinator position strengthens the hand of the federal CIO around cyber issues.

“I think that individual needs to take a serious look at updating the Federal Information Security Management Act (FISMA), strengthen agency CISO authorities, and from that it will logically flow to formalize the federal CISO position and figure out once and for all what authorities are needed, the federal CISO’s relationship with DoD and the intelligence community,” he said. “I think we need to figure out the federal CISO’s roles and authorities before you name an official. It would be  a mistake to name someone without first understanding their roles and authorities.”

Rudolph said stepping back from the White House and federal CISO discussions, the bigger issue is whether these decisions and others are part of a state of complacency or numbness that many people in and out of government feel because of the constant stream of cyber attacks.

“How you right that ship is by having a strong leader in White House around cyber,” he said.

And that could come from the cyber coordinator’s role, the new NSC positions or even a federal CISO.

So while the debate over the cyber coordinator’s role continues, the telltale sign will come the next time there is a cyber incident in which a whole of government response is needed. Will it be more like Wannacry or more like Heartbleed?

“We need a coach to know how pieces all align and where they don’t, and we need someone to have visibility across all the initiatives agencies are doing and need someone to hold them to account. That was a big take away with the EO, and I’m not sure who is assuming that function right now,” Ciffullo said. “Clearly progress has been made. I know that agencies and OMB are delivering on some of those EO requirements. But how all of those pieces are being integrated into a cohesive whole was one of the primary functions of the cyber coordinator. We are not fully clear on how some of those gaps will be backfilled right now.”

Read more of Reporter’s Notebook