The Biden administration is blessed with a number of advantages in cybersecurity: a deep pool of talent, new authorities and money for the Cybersecurity and Infrastructure Security Agency (CISA), wide agreement about following on the work of the Cyberspace Solarium Commission, and Democratic control of Congress. That’s a deep hand. The challenges, however, are just as significant, most notably the continued fallout from the SolarWinds hack in an environment stressed by the pandemic and politics. In short, the new administration needs to make a hot start on cybersecurity.
The steps taken by the Biden team will inevitably be compared to those of the Trump administration. While it is easy to lampoon the prior administration’s efforts, its failures stem from lack of leadership and incompetence at the highest level — especially the president himself — rather than the quality of work in the agencies. Yes, we had the “400-pound hacker” the “impenetrable cyber security unit,” and the early and inexplicable elimination of the State Department Coordinator for Cyber Issues, but we saw appointed the most — or one of the most — effective Cybersecurity Coordinators ever in the NSC, Rob Joyce, and the appointment of election 2020 wunderkind Christopher Krebs to head cybersecurity in DHS, first at the National Protection and Programs Directorate, then at CISA when it launched.
As the new administration gets organized, we lack the luxury of time. The SolarWinds hack makes that clear. Numerous government agencies and capable private sector organizations have been compromised, and the full scope of harm is certainly not known yet. Combined with this, of course, is the overall level of cybersecurity risk to the country, which continues to rise every day despite the efforts of many. We can’t wait to take action either on immediate response to SolarWinds or long-term efforts to increase cybersecurity at all levels.
No factor affects cybersecurity as much as leadership, which is why when CISA recently produced cybersecurity “toolkits” for organizations, the very first one was on leadership. To get national cyber leadership right, I’d suggest three things:
Team first: The new administration should follow the initial path of the Trump administration and get the right team in place. By all accounts, this effort is proceeding well. Experienced cybersecurity leaders have been identified and, in some cases, announced for the White House/EOP, CISA, NSA and other security-focused agencies. Now, formalizing appointments and confirming nominees must be the very highest priority.
Clear lines of authority: President Biden must define a governance structure that will allow the team to collaborate and lead effectively. That sounds simple, but it isn’t — because the initial operating structure is yet to be defined. The Trump administration’s elimination of the Cybersecurity Coordinator at the National Security Council was a significant factor in the creation of the new Office of the National Cyber Director (ONCD) led by a Senate-confirmed National Cyber Director in the White House — an action recommended by the Cyberspace Solarium Commission and now the law of land.
In full disclosure, others and I opposed the creation of the ONCD, in my case, precisely because creation would cause confusion over roles and responsibilities and bore the risk of undercutting CISA. Well, here we are, and the administration needs to make the new structure work. It must define clear roles and responsibilities for:
- the National Cyber Director, rumored to be Jen Easterly;
- the Director of CISA, rumored to be Rob Silvers;
- the new NSC Deputy National Security Advisor for Cyber and Emerging Technology, a newly elevated position in the NSC and a critical part of the national security decision-making apparatus (Anne Neuberger of the NSA has been selected for this position); and
- the Federal CISO.
One of these offices is elevated (NSC) and one is entirely new (NCD). Their responsibilities overlap with each other in some ways — and overlap with the other numerous cybersecurity offices across the federal government, including at DOD, DOJ, DHS, the State Department, Commerce Department, FBI and NSA. Building a new government office like the ONCD can be a challenge under any circumstance, and with the current set of cybersecurity needs, confusion is a recipe for disaster. Moreover, National Security Memorandum-2, signed by the president on Feb. 4, doesn’t solve this problem by itself as it is focused on participation in the NSC.
Focus on partnership: The U.S. has no time for a team of rivals, it needs a team of partners. Again, that is far easier said than done — the agencies involved will have inherent conflicts of interest that will put pressure on undoubtedly good-willed people. These conflicts will be exacerbated by those outside the government who have an interest in the outcome, and there will be numerous issues on which to fight — offense vs. defense, deterrence vs. prevention, partnership vs. regulation vs. liability, defend forward, and many more. More than anything else, this will be the most important responsibility of the National Cyber Director: ensuring one team, one fight in design, implementation, and practice.
Philip Reitinger is president and CEO of the Global Cyber Alliance, and formerly served as deputy undersecretary for the national protection and programs directorate and the director of the National Cyber Security Center in the U.S. Department of Homeland Security. This article was written in his personal capacity.