Last week, the White House eliminated the position of cybersecurity coordinator on the National Security Council (NSC) staff. This decision comes at a time when cyber threats are expanding and the federal government needs the interagency process to help coordinate the implementation of new cyber strategies. While NSC will retain other cyber staff, the White House has not fully explained how an already fractured cyber policymaking process will become more streamlined and efficient with the elimination of the coordinator. The decision leaves the council without a single leader to oversee interagency responses to cyber attacks and to coordinate those responses with the private sector.
Citing a desire to reduce bureaucracy, NSC spokesman Robert Palladino expressed confidence in the ability of its two senior directors, who reported to outgoing coordinator Rob Joyce, to continue the work. Josh Steinman and Grant Schneider are responsible for offensive and defensive cyber policy, respectively, and oversee another half dozen NSC staffers. Schneider concurrently has a full plate as the acting chief information security officer for the entire federal government, raising questions about whether the team will have enough bandwidth for the additional work following Joyce’s departure.
Leading a team of NSC staffers who manage the federal strategies for a variety of cyber issues, the cybersecurity coordinator plays an essential role in ensuring that national cybersecurity policies operate in concert. Recently, the Departments of Homeland Security and Energy announced individual cyber strategies, while the Pentagon announced a review of its cyber posture and deterrence. Although each strategy is tailored to the mission of the individual agency, the strategies would contribute to a holistic approach to U.S. offensive and defensive cyber efforts under the leadership of an effective cybersecurity coordinator.
Former coordinators have promoted cybersecurity standards and encouraged the public and private sector to share threat information. Most recently, Joyce leveraged his role to increase transparency of the Vulnerabilities Equities Process, which discloses cyber vulnerabilities to the public to prevent their exploitation by hackers. As the White House noted in November, “Since there can be competing considerations for disclosing or restricting a vulnerability, it is important that the equity process be led outside any single agency. For this reason, the process is coordinated by the National Security Council (NSC) staff.”
Only the cyber coordinator is in a position to balance the competing demands of different agencies and departments. For example, the intelligence community may want to leave vulnerabilities unfixed so that they can exploit them to collect intelligence on U.S. adversaries. Law enforcement, by contrast, may harbor concerns that cyber criminals would use those vulnerabilities against U.S. targets.
The termination of the position also threatens government coordination with the private sector. According to press reporting, the White House left its private sector partners hanging when it decided to delay the public release of the NSC’s cybersecurity strategy. The delay was attributed to disagreements over what counter-offensive strategies should remain classified. The elimination of the cybersecurity coordinator position is unlikely to resolve this debate. However, this issue and policymaking processes may be cleared up with the ultimate release of the cyber strategy.
The Obama administration established the cybersecurity coordinator to secure “America’s digital infrastructure.” Since then, the challenges have only grown as America faces an increasing barrage of cyber attacks from Russian, Chinese, North Korean, and Iranian hacking groups. Eliminating the cybersecurity coordinator position signals to U.S. adversaries that Washington lacks a single voice to synchronize and lead cyber offensive and defensive efforts across federal and non-federal enterprises. Without effective leadership, the U.S. government cannot hope to implement strategies to address future threats.
Trevor Logan is a cyber research associate at the Foundation for Defense of Democracies. Annie Fixler is a policy analyst at FDD’s Center on Sanctions and Illicit Finance. Follow them on Twitter @TrevorLoganFDD and @afixler.
Follow the Foundation for Defense of Democracies on Twitter @FDD and its Center on Sanctions and Illicit Finance @FDD_CSIF. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.