5 Urgent Tasks for the New National Cyber Director

The new chief of U.S. cyber policymaking, Sean Cairncross, brings to the table extensive experience gained as a former adviser to the White House chief of staff and CEO of the Millennium Challenge Corporation, which seeks innovation in foreign assistance. Confirmed by the Senate on August 2 as the new national cyber director, Cairncross has an opportunity to reset his office’s role, establishing the Office of the National Cyber Director (ONCD) as the central force within government working to ensure the resilience of U.S. critical infrastructure.

As two of the leading advocates for the creation of ONCD as envisioned by the congressionally mandated Cyberspace Solarium Commission, we acknowledge that the office has not performed up to expectations, especially with regard to making federal cyber policy coherent. This is due to the difficulty of the job as well as tensions and turf wars within the Executive Office of the President that previously limited ONCD’s role. Looking ahead, Cairncross must shed this baggage to accomplish five hard tasks:

1. Solidify ONCD as coordinator for U.S. cybersecurity policy.

By statute, the national cyber director is the president’s principal cybersecurity adviser. The office has suffered, however, from turf battles with the National Security Council and federal agencies that refused to align budgets and priorities with ONCD’s directions, limiting its effectiveness at coordinating national cyber policy. With the current NSC Cyber team focusing on the enormous and growing challenge of crafting America’s offensive cyber strategy, ONCD now has greater latitude to lead everything else. To get the interagency to play ball — and tackle the other issues outlined below — ONCD will need strong relationships. To support the new tasks the office takes on, Cairncross must prioritize rebuilding ONCD’s staff. The law creating the office authorized employing up to 75 people, but the office is less than half staffed after Biden administration political appointees stepped down and detailees returned to their home agencies.

2. Improve the cyber resilience of America’s most critical infrastructure.

Across 16 sectors, private companies own and operate hundreds of thousands of critical infrastructure assets across the country. By definition, all critical infrastructure is important to national security, economic productivity, and public health, but only some of these assets have a systemic-level impact. A ransomware attack on a gas station may be disruptive to a community, while a cyberattack on a pipeline transporting half of all fuel to the East Coast affects the entire country. Though previous administrations have attempted to identify the most critical of the critical, these efforts were incomplete, and none of these efforts included the benefits and burdens necessary to make this list meaningful. ONCD should identify America’s most important infrastructure assets, work to provide them with improved intelligence support and threat warning so they can protect their own systems, and require these companies to rapidly identify and mitigate risks to their reliable operation. ONCD’s primary focus must be on the assets that support our national security — especially our military mobility and our economic productivity — as adversaries are already infiltrating these infrastructures to put U.S. national security at risk.

3. Ensure the federal government performs as a reliable partner for the private sector.

The federal agencies that are designated as sector risk management agencies (SRMAs) are legally required to help critical infrastructure owners and operators understand, identify, and mitigate cyber risks. While some agencies excel at this public-private collaboration, many do not. ONCD should focus on improving agency performance. This starts with a rewrite of an April 2024 policy document (known as NSM-22) that the Biden administration’s interagency clearance process watered down such that it did little to update Obama-era critical infrastructure security policy. NSM-22 failed to tackle how a decade of technological innovation has changed what should be considered critical infrastructure. ONCD must also assess and correct federal agencies’ budgets to ensure they are properly resourced for their SRMA tasking because so few currently are.

4. Streamline the cyber incident response process to better support critical infrastructure.

Another decade-old policy document, known as PPD-41, governs federal responses to cyber incidents. But current federal response efforts lack the speed and agility necessary to support U.S. critical infrastructure under duress. ONCD should lead efforts to rewrite PPD-41 and clarify responsibilities for the national incident response process. The rewrite should do at least four things: 1) place ONCD at the helm of a regular cyber-response group that brings together agency leads to monitor and communicate about cyber incidents; 2) designate the Cybersecurity and Infrastructure Security Agency as the “cyber incident 911” and director of asset response; 3) establish a framework for effective communication with private companies and international partners; and 4) direct the National Guard to develop comprehensive nationwide cyber response capabilities.

5. Plan now for the worst adversarial cyberattack to ensure continuity of the economy.

While the Biden administration recognized the importance of being ready for a worst-case cyber or physical disruption of critical infrastructure, it failed to bring federal agencies together to launch planning and conduct exercises to ensure the continuity of the economy after a very bad day. ONCD should align federal disaster policies to address continuity of the economy scenarios, develop detailed recovery plans, use tabletop simulations and exercises to test these plans, and reassess and correct based on the results. The adversary is ready to impose a worst day on the United States, and the federal government is not postured to respond. ONCD, however, has the unique remit to address this glaring gap.

Retired Rear Adm. Mark Montgomery is a senior fellow and the senior director of the Foundation for Defense of Democracies’ (FDD’s) Center on Cyber and Technology Innovation (CCTI), where Annie Fixler is a director and senior fellow. For more analysis from the authors and CCTI, please subscribe HERE. Follow Mark on X @MarkCMontgomery. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.