How to Make the National Cyber Director Position Work

Over the new year, Congress overrode President Trump’s veto to enact into law the National Defense Authorization Act (NDAA) for fiscal 2021—an annual piece of legislation that lays out the budget, expenditures and policies of the Pentagon for the upcoming year. This year’s NDAA also contains numerous cyber-related provisions, among them § 1752, which establishes a new Office of the National Cyber Director (ONCD) within the Executive Office of the President (EOP). The head of the ONCD, the national cyber director (NCD), is subject to Senate confirmation and is tasked with serving as “the principal advisor to the President on cybersecurity policy and strategy relating to the coordination of” defensive strategies for federal and critical infrastructure organizations, incident response, diplomatic initiatives relating to cybersecurity, efforts to deter adversaries and industry engagement. The NCD will lead a sizable office of up to 75 staff.

The legislation implements one of the signature recommendations of the Cyberspace Solarium Commission, which Congress established in 2019 to develop a strategic approach to combating future cyberattacks. The commission proposed the national cyber director concept as a remedy for what it assessed to be insufficient institutionalization of policymaking around cyber strategy and a lack of interagency coordination. Having a Senate-confirmed NCD will also give Congress, as commission co-chair Sen. Angus King has quipped, “one throat to choke” on cyber issues.

It will fall on the incoming Biden administration to implement the new office and send the first nomination for national cyber director to the Senate. Much hard work lies ahead. The administration will have to create a new organization within the EOP, itself no easy task. And it will also need to immediately address what is clearly among the most damaging cybersecurity breaches in American history—a major hack of SolarWinds software perpetrated by Russia affecting hundreds of victims in the federal government and the private sector. 

The history of so-called “czars”—officials appointed by the president to serve coordinating roles on various matters of policy—is instructive. On the one hand, the legislation avoids several pitfalls that have limited the legitimacy and effectiveness of other czars: The national cyber director is subject to Senate confirmation, for example, and the law authorizes a substantial ONCD staff. Congress also authorized the director to “promulgate such rules and regulations as may be necessary to carry out the functions, powers, and duties vested in the Director” [§ 1752(e)(3)]. This is a potentially powerful tool, and one that the ONCD’s peer policy coordination organizations within the EOP do not have.

On the other hand, research by scholars of the presidency suggests that at least four additional factors contribute to the success of a policy czar: clarity of mission, expertise, a high-profile problem or task to tackle from day one, and insider access to the president and his senior leadership team. As I argue below, the legislation puts the burden for satisfying these key factors on the president. Despite its robust legislative mandate, the national cyber director concept is not self-executing.

Specifically, President Biden and his leadership team will need to clarify the ONCD’s mission, especially its relationship to the National Security Council (NSC); recruit as national cyber director someone capable of navigating complex policy and bureaucratic landscapes; pick a suitable problem for the director to tackle from the start, such as the SolarWinds hack; and give the NCD direct access to the president. 

Clarity of Mission

 As history shows, White House policy czars fizzle out when their missions are not crystal clear. One particularly high-profile case is that of Kristine Gebbie, President Clinton’s chief AIDS policy officer. Tasked with ensuring policy coordination between agencies, she was ultimately stuck in a position with, in her words, “almost nothing written down about what it should be,” disappointing many who had high expectations for her appointment and eventually leading to her resignation.

The statutory language for the national cyber director role leaves the president with considerable discretion to define the director’s scope of duties and responsibilities, which are “[s]ubject to the authority, direction, and control of the President.” Biden and his successors should mold the mission of the ONCD to fit their preferred structure for White House policymaking and coordination. Preferably, this would take the form of an executive order or a presidential policy directive that defines ONCD’s mission and its relationships with other EOP organizations, especially the National Security Council.

 The NDAA has a written list of responsibilities for the national cyber director, which at first glance appears both specific and vast. The director will: 

• [S]erve as the principal advisor to the President on cybersecurity policy and strategy relating to the coordination of [cyber defense, cyber-related diplomacy, understanding and deterring malicious cyber actors, and engaging with industry, among others] [§ 1752(A)]
•  [O]ffer advice and consultation to the National Security Council and its staff, the Homeland Security Council and its staff, and relevant Federal departments and agencies, for their consideration relating to the development and coordination of national cyber policy and strategy, including the National Cyber Strategy [§ 1752(B)]
•  [L]ead the coordination of implementation of national cyber policy and strategy [§ 1752(C)]
•  [L]ead coordination of the development and ensuring implementation by the Federal Government of integrated incident response to cyberattacks and cyber campaigns of significant consequence [§ 1752(D)]
•  [P]repar[e] the response by the Federal Government to cyberattacks and cyber campaigns of significant consequence [§ 1752(E)]
•  [C]oordinate and consult with private sector leaders on cybersecurity and emerging technology issues in support of, and in coordination with [interagency partners] [§ 1752(F)]
•  [A]nnually report to Congress on cybersecurity threats and issues facing the United States [§ 1752(G)]
•  [O]ther functions as the President may direct [§ 1752(H)]

The legislation does not assign the national cyber director any operational responsibilities. Policy implementation will continue to be conducted by agencies, consistent with their statutory mandates. Nor does the legislation give the director any authority to make agencies do anything: The NCD can “advise,” “review,” “facilitate,” “offer consultation,” “assess,” “monitor,” and “coordinate,” but not direct, command or require. The National Security Council has traditionally operated under similar constraints, so these caveats—while important to understanding the scope of the NCD’s mandate—are not unique to the new position.

The legislation also does not envision a prominent role for the national cyber director in the development of offensive cyber operations. Instead, it directs the NCD to “support … the integration of defensive cyber plans and capabilities with offensive cyber plans and capabilities” as part of the ONCD’s mission to coordinate the response to major cyber incidents. This is a subtle but potentially significant limitation on the scope of the NCD’s potential responsibilities, because it implies that the director cannot point to statutory language as justification for participating in strategic planning and doctrine development for offensive cyber operations outside the context of responding to cyber incidents.

Presumably, Congress expects the National Security Council to continue to coordinate offensive cyber policy. Most of the statutory functions listed above, however, duplicate the other cyber policy coordination functions that in previous administrations had been wielded by the NSC—especially the Cyber Directorate, where I served as a senior director in the Obama and Trump administrations, as well as the federal information technology policy coordination functions split between the NSC and the Office of Management and Budget (OMB). The latter is home to the Federal Chief Information Security Office, the most recent leader of which was dual-hatted as an NSC senior director. The

[…]

Read the original article: How to Make the National Cyber Director Position Work