On January 20, the Biden-Harris Administration will assume control of a tumultuous policy landscape. The ongoing SolarWinds breach and the ongoing cyber threats in the wake of the January 6 attack on the U.S. Capitol pose significant challenges and painstakingly demonstrate the importance of a streamlined and strategic approach to federal information security. The Biden-Harris Administration has the opportunity to leverage the newly created role of National Cyber Director (NCD) to help prepare for and mitigate the impact of future cyberattacks. Here are five recommendations that provide the NCD with the right authorities to be immediately effective.
1. Identify a candidate as soon as possible and define a clear scope of responsibilities for the NCD responsibilities in the first 100 days to drive efficiency. Given the severe crises currently jeopardizing U.S. national security, quickly naming a person to fill this security-based role is critical. In addition, while the position was intentionally designed to provide some elasticity of authority to account for the evolving nature of the cyber environment, clearly assigned responsibilities are needed to provide clarity and efficiency during this tumultuous time. The incoming administration should prepare an executive order that delineates how the position will be scoped to balance flexibility with effective response authority. Additionally, a fully scoped role will hasten the nomination and onboarding of a suitable candidate.
2. Scope the role to deconflict and deduplicate responsibilities across existing positions. The abolition of the Cyber Coordinator by John Bolton in 2018 left a critical gap in cybersecurity expertise within the White House and the National Security Council. Other positions like that of Deputy National Security Advisor, only partially address this issue. Establishing the NCD as a cabinet-level position can close that gap effectively and once again establish cybersecurity as a permanent priority within the White House. Nevertheless, establishing a new cabinet-level position runs the risk of duplicating existing roles and responsibilities. To avoid inefficiencies, the administration should assign the NCD responsibilities that complement existing roles within CISA, ODNI and the Intelligence Community as a whole, DOD, OMB (Federal CIO and CISO), the FBI, and the State Department, at a minimum. Streamlining the scope may also necessitate changes to existing positions. It may even be appropriate for the NCD to absorb a position in its entirety. For example, it might make sense to have the NCD serve in a dual capacity as Deputy National Security Advisor for Cybersecurity.
3. Focus on governance, not operations to avoid duplicative responsibilities. Per Sec. 1752 (c) 1 C of the National Defense Authorization Act for Fiscal Year 2021, the NCD will oversee the development and enforcement of the National Cyber Strategy. Given the wide range of other responsibilities and the limitations a staff of 75 will undoubtedly pose, the NCD should avoid engaging with agency operations. Instead, the NCD should serve a predominantly strategic function. To do so successfully, the NCD should leverage existing expertise across the federal government. For example, Presidential Policy Directive-41 establishes how DHS, DOJ and ODNI have leading operational roles during a significant cyber incident. The NCD, on the other hand, should focus on assessing the current performance of government cyber programs, identifying and reporting resource gaps, and offering authoritative recommendations on how to streamline the allocation of available resources most effectively to provide agencies with the necessary capabilities to manage incidents like SolarWinds.
4. Balance offensive and defensive cybersecurity capabilities to protect government information effectively. Understandably, not all information will be eligible for sharing between the two realms of cybersecurity or across agencies. Nevertheless, withholding information increases the likelihood of persistent threats going unnoticed for a longer time. Attack patterns may not be recognized without sufficient context, specific technological expertise may not be readily available when needed most urgently and the overall risk to the U.S. government and critical industry networks may not be fully understood. The NCD should, therefore, be charged with the development of a framework to disclose vulnerabilities and intelligence to cyber defenders and facilitate all sharing processes across agencies.
5. Coordinate public-private cooperation, in addition to leading cross-agency coordination. Many agencies participate in public-private partnerships to facilitate information sharing, among other benefits. The NCD should oversee the coordination of existing efforts and provide direction on further improving the effectiveness of public-private information sharing. The importance of this cooperation has become even more evident when private company FireEye first reported the SolarWinds breach that affected multiple federal agencies.
The SolarWinds breach has exposed critical failures in the posture and capability of federal information security. With even more threats stemming from the attack on the U.S. Capitol, it is imperative for the Biden-Harris Administration to prioritize the role of the National Cyber Director and ensure they are ready from day one to help formulate an effective, streamlined, and authoritative incident response strategy to respond to future cyberattacks. The technology industry remains committed to sharing its expertise and insights to empower the National Cyber Director and raise the national cybersecurity baseline.