In May 2018, the White House eliminated the position of National Cybersecurity Coordinator. The move has been met with much pushback from some in the cybersecurity community and even politicians. Democratic lawmakers were seeking to propose legislation to restore the position. In a statement made by the National Security Council the move was to “streamline management in order to improve efficiency, reduce bureaucracy, and increase accountability.” Nevertheless, given the fact that many security officials including the Director of National Intelligence have identified cyber threats as a national security priority, the removal of this position is largely considered a step backward and not forward. However, this may be more of a kneejerk reaction than an honest assessment of the roles and responsibilities that have been undertaken by those individuals appointed to the position.
With roots starting as early as 1997, the position first emerged in 2009 and has had three individuals in the role of Cybersecurity Coordinator – Howard Schmidt (2009-2012), Michael Daniel (2012-2017), and Rob Joyce (2017-2018), who is looking to return to the National Security Agency (NSA). The Cybersecurity Coordinator has been primarily a policy position lacking any day-to-day authority over any of the groups working on cyber security. Critics have pointed out that while the Cyber Coordinator can make recommendations, the position has no direct authority as far as budgeting is concerned, nor can the position compel agencies to comply with guidelines. This has been a systematic problem with the position – it can make all of the recommendations it wants, but if it cannot compel agencies to implement them within a specified amount of time, the title becomes largely ceremonial. Government Accounting Office reports on government cybersecurity efforts consistently find shortcomings in the federal government’s approach to ensuring the security of federal information systems and cyber critical infrastructure.
These realities directly contradict some of the criticism elimination of the position has received. From one Coordinator, “This is definitely not the signal you want to send to your allies and your adversaries.” The State Department’s former coordinator of cyber issues called this move “a tragedy.” To be fair, there is something to be said about having an individual experienced in cyber issues close to the Executive Office. But therein lies the difficulty and perhaps why the position has languished. Since cyberspace covers a diverse set of issues, how could one person be that knowledgeable in all of these areas? The backgrounds of the first three coordinators show how expertise in cyber matters covers a wide swath of areas. Schmidt had extensive experience in information technology and security, serving as the director of information security, chief information security officer, and chief security officer at Microsoft. Daniel was a 17-year veteran of the Office of Management and Budget (OMB), previously working on cyber issues in OMB’s intelligence branch – albeit from mostly a policy side – for more than 10 years. Joyce was a former NSA official where he worked in a variety of areas to include heading its offensive cyber operations side.
Cyberspace is not an entity unto itself. It is a medium and a domain that supports diverse civilian, government, and military functions. To mention a few:
- Cyberspace is a medium on which commerce is conducted.
- Cyberspace involves technologies that facilitate business operations, as well as produce, process, and store.
- Cyberspace is an operating environment in which cyber technologies can be used to support disruptive and destructive activities.
- Cyberspace is a domain exploited by criminals to steal money and intellectual property.
- Cyberspace supports critical infrastructure whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States.
- Cyberspace involves a highly connected environment that requires updates, patching, and defensive technologies and devices.
- Cyberspace is an area that requires the development of policies and planning.
At any given time, one of these areas will invariably rise to the highest levels of importance. It is improbable that any one individual will have deep-rooted experience in all of them. And therein lies the challenge of the Coordinator position as its currently been used. Yes, as one source points out the Coordinator has been involved in the development of “new policy directives, strategies, and initiatives,” but that has yet translated into tangible cyber security posture improvements. And that may have to do more with understanding what this Coordinator role should be, and how it should function, and how it can best support the Executive Office.
Critics maintain that there is no direct access to the president or the NSC for cyber issues, and cite that credible think tanks like the Center for Strategic and International Studies have actually recommended elevating the position, not eliminating it. And yet, the position has not evolved from what it is. Therefore, the elimination of the position makes sense until one can be created that actually addresses the needs of the Executive Office, and more importantly, the needs and realities of the dynamic cyber landscape. And that may mean focusing on a particular area first, and satisfying those requirements, before taking on the next head of the Hydra.
This is a guest post written by Emilio Iasiello