14 May 2021

CLOSING THE GAPS IN CYBERSECURITY

Erica D. Borghard

Prior to the Biden administration’s recent announcement of the nomination of Chris Inglis to serve as the inaugural National Cyber Director (NCD), debates swirled in cybersecurity policy circles about the role the NCD would play and whether its office would be duplicative of functions that already exist within the National Security Council (NSC), particularly the newly-created position of Deputy National Security Advisor for Cyber and Emerging Technology, which Anne Neuberger currently holds.

Elevating the role of cybersecurity issues within the NSC was long overdue and is a positive development. There are, however, several areas where the NCD will fill an important gap in a way that complements and enhances, rather than overlaps with, the cybersecurity efforts within the NSC.

THE IDEA

The creation of a Senate-confirmed NCD, along with an Office of the National Cyber Director (ONCD), within the Executive Office of the President was an idea generated by the US Cyberspace Solarium Commission, created by Congress in the FY2019 National Defense Authorization Act (NDAA) to develop a strategy and set of policy recommendations to defend the United States against cyber attacks of significant consequences. One of the foundational recommendations that anchored the Commission’s March 2021 final report was the NCD.

The report detailed the Commission’s vision for the NCD to take the lead on coordinating cyber strategy and policy, as well as defensive campaigns; be the locus for collaborating with the private sector; oversee cybersecurity compliance across the federal government; and be the president’s principal cybersecurity advisor. Ultimately, the fiscal 2021 NDAA largely hewed to the Commission’s concept in its establishment in law of the NCD and ONCD — and also allowed for a larger staff of up to 75 individuals to serve within the ONCD.

WHERE THE NATIONAL CYBER DIRECTOR CAN LEAD

There are several aspects of the NCD’s position that make it particularly well-suited to taking the lead in specific areas. First, there is an overwhelming consensus within the cyber policy community that the federal government must improve how it works with the private sector. One of those areas of improvement lies in establishing a focal point within the government with the primary responsibility for outreach to, and interaction with, the private sector. That’s not to say that there should be only one touchpoint within the government. However, establishing a single leading entity with the ability to help coordinate and clarify how various government elements work with the private sector can clarify what is otherwise an ad hoc, duplicative, and sometimes counterproductive set of relationships. This is a role that more naturally fits within the remit of the ONCD than the NSC.

By its nature, the NSC — the core function of which is to advise the president on pressing national security issues — is a more inward-focused body. Indeed, there is significant value in a more internal and private process to support the president’s decision- and policymaking process for national security. In contrast, the NCD would not face similar constraints.

THERE ARE SEVERAL AREAS WHERE THE NATIONAL CYBER DIRECTOR WILL FILL AN IMPORTANT GAP IN A WAY THAT COMPLEMENTS AND ENHANCES, RATHER THAN OVERLAPS WITH, THE CYBERSECURITY EFFORTS WITHIN THE NSC.

Second, a significant deficit in cyber strategy — as well as US strategy in general — is the absence of comprehensive, long-term strategic planning. It has become a truism to bemoan the fact that so much of US policy planning, including that which takes place within the NSC, is focused on short-term challenges and responding to the inevitable crises and contingencies that arise, rather than positioning the United States to tackle over-the-horizon threats and capitalize on future opportunities. This issue is particularly acute in cyberspace because of the frequency with which significant cyber incidents take place. Indeed, in the few short months since President Joe Biden was elected, the United States suffered two major cyber incidents linked to nation-state rivals: first, the SolarWinds breach, attributed to Russia, which led to the compromise of federal government network at significant scale, as well as emails of senior officials; and second, the Microsoft Exchange hack, which may be linked to China, which exploited vulnerabilities in Microsoft Exchange servers that allowed threat actors to gain access and steal data, and would potentially enable other nefarious actors to infiltrate vulnerable systems for more destructive purposes.

With the NSC and relevant federal departments and agencies appropriately focused on two concurrent and large-scale incident responses — an effort that demands significant time, attention, and resources — it’s not clear where the bandwidth exists in the federal government for deliberative, foresighted cyber strategy development. This is an area where the NCD, supported by a large staff of up to 75 personnel, and additional potential for contractor support, has a comparative advantage and can fill a significant gap in existing roles and responsibilities.

Finally, the fact that the NCD is a Senate-confirmed position provides an opportunity for Congress to play a more meaningful role in the oversight of cyber strategy and policy. There is a growing recognition that the consolidation and entrenchment of power within the executive branch over national security issues may have negative effects on national security and foreign policy over the long term. Given the preeminence of cybersecurity issues for US national security, strengthening Congress’ constitutionally-delegated responsibilities and authorities in this area could have a positive effect on strengthening congressional prerogatives.

ON THE RIGHT PATH

As the Biden administration continues its work to define and clarify the roles and responsibilities of the NCD and other critical cyber positions within the executive branch, it is clear that the incoming NCD has a significant challenge ahead in building a new organization from the ground up and integrating it within the rest of the interagency. The three areas where the NCD could have the most leverage and impact — interaction with the private sector; the capacity for long-term strategic planning; and strengthening relationships with Congress — are all significant in their own right and reflect critical gaps in how the United States is organized to address cybersecurity issues. These are challenges that will not be solved on day one, which means that the NCD must be appropriately resourced and be granted sufficient runway to tackle these issues over time.

No comments: