With a large swath of the federal workforce still teleworking during the coronavirus pandemic, agencies remain wary of a heightened volume of phishing attempts and other cybersecurity threats.
Amid these concerns, lawmakers on the Cyberspace Solarium Commission urged members of the House Oversight and Government Reform Committee to pass legislation that would bring back and strengthen the national cybersecurity coordinator position the White House scrapped two years ago.
The position lasted through the George W. Bush and Obama administrations, but former National Security Adviser John Bolton eliminated the role in 2018 as part of an effort to reduce the federal bureaucracy.
That argument still holds weight for Republicans on the committee. Ranking Member Rep. James Comer (R-Ky.) said the heightened volume of remote operations during the pandemic has “created new cyber vulnerabilities for these malicious actors to take advantage of” and requires greater partnership with industry, and state and local government.
But with multiple agencies holding “a piece of the cybersecurity pie,” Comer said he questioned whether restructuring the cyber coordinator role would also restore a layer of bureaucracy which Bolton tried to remove.
“Will the national cyber director utilize the existing cyber leadership and expertise in our government, or do we risk making that bureaucratic pie bigger and creating duplicating functions?” Comer said. “Will a national cyber director add value to this nation’s cybersecurity infrastructure? Or should we align and support systems already in place?”
Despite these concerns, the bipartisan Cyberspace Solarium has made it one of their top priorities among 82 recommendations it released in March.
Rep. Mike Gallagher (R-Wis.), one of the solarium’s co-chairmen, said he understood restoring the cyber coordinator role would be the “least bureaucratic option, least onerous and most efficient” in building a coordinated cyber defense capability.
Rather than create a new agency, which would take years to create and “further muddy the bureaucratic waters,” Gallagher said the coordinator would retain a staff of about 75-to-100 personnel, with some on detail from other agencies, and an annual budget of about $10-15 million.
Gallagher said this staffing would help offset the “dramatic imbalance” in personnel between the cyber offense capabilities of the National Security Agency and the Defense Department’s Cyber Command, and the cyber defense supported by the Cybersecurity and Infrastructure Security Agency.
“That would be a small step toward perhaps correcting that imbalance, giving the White House better purview into defensive operation,” he said.
Instead of just restoring the cyber coordinator position, the National Cyber Director Act elevates the cyber coordinator role by requiring Senate confirmation.
“We want this person to not only have the ear of the president but be a single bellybutton that we as legislators can push to get answers,” Gallagher said.
The bill would also give the cyber coordinator budget certification authority, which would allow the officeholder to “effectively flag for the president something of concern” in agencies’ cybersecurity budgets, Gallagher said.
While the cyber coordinator, with Senate-confirmation, would have greater independence from the president, the president would still have the final say over cyber policy.
“If, for example, there was a disagreement between [the Office of Management and Budget] and the national cyber director – just as there’s often disagreement within different executive branch agencies – the president working through his national security adviser can adjudicate these disputes,” Gallagher said.
National security subcommittee chairman Stephen Lynch (D-Mass.) said it was “not only reasonable but necessary” to recreate the national cyber coordinator position given the scope of the threat.
Lynch recalled a recent committee briefing where FBI and CISA officials said every federal agency and industry enterprise working on coronavirus vaccine research is a “current target for foreign cyber attackers.”
“The need for greater leadership, strategic planning and policy coordination to ensure the security of our nation in the cyber domain could not be more urgent or important,” Lynch said.
Meanwhile, Chairwoman Carolyn Maloney (D-N.Y.) said the need for cyber vigilance is even greater during the pandemic.
“We must ask ourselves what other warnings are going unheeded, and what can we do right now to protect the American people from other catastrophic threats,” she said. “Before the unthinkable happens in the future, how can we exercise strategic, decisive foresight to the best of our ability today to ensure we are a nation prepared tomorrow?”
Rep. Jim Langevin (D-R.I.), a solarium commissioner, said Bolton “did a disservice to the president” by eliminating the cyber coordinator position.
“We see the cyber domain as the ultimate realm for asymmetric operations in the grey zone short of war, Langevin said. “We can seize the initiative and ensure that we are not left to wonder the day after an attack what more could we have been done,” he said.
Langevin said the solarium’s recommendations seek to “prevent the next OPM breach,” but he added that few agencies consider cybersecurity a core part of their mission.
“Because cybersecurity is difficult to measure, we end up with misaligned incentives. People skimp on cybersecurity because they would rather invest in operationally relevant programs in their department,” he said. “We need a strong leader in the White House to defeat the inertia that pushes investments in cybersecurity down the road or until a devastating breach occurs.”
While CISA, since its creation, has worked with industries that control wide swaths of the country’s critical infrastructure — utilities such as water, electricity and the financial industry — Langevin said only a national cyber director would help “break down the siloes” between government and industry.