“The lights are on but there’s nobody home.” You could say that about White House cybersecurity leadership. Two vacancies need fillin’.
Reuters reports, Cybersecurity Coordinator Rob Joyce has announced his departure. Joyce had a one-year term assignment to the White House. He’s three months overdue.
Barely a week ago, Homeland Security Adviser Tom Bossert left. He was apparently pushed out by the newly-arrived National Security Adviser, John Bolton. Just before the RSA security conference, Homeland Security Secretary Kirstjen Nielsen said Bolton would pick Joyce’s successor.
This is all occurring as the White House is supposed to be announcing an updated National Cybersecurity Strategy. That strategy is a mandate from the 2018 Defense authorization bill. That the strategy is due soon comes from testimony from Kenneth Rapuano, an assistant secretary of Defense. He discussed it last week at a hearing of a House Armed Services subcommittee.
Bossert had promised the strategy as early as last December.
Nearly a year ago, the Trump administration did issue an executive order on cybersecurity. It mainly concerned defense of federal networks. It told agencies to use risk management as outlined by the National Institute of Standards and Technology. But the order also called on the Commerce, Defense, Homeland Security, Justice and State departments to report on their international cybersecurity priorities and an “engagement strategy for international cooperation.”
If in fact the new strategy is due any day, then Bossert and Joyce must know what’s in it. Pure speculation on my part, but maybe Bolton came in and wanted it changed in some way, prompting Bossert to leave.
As reported by Joe Marks in NextGov, Nielsen seemed to shrug off the vacuum in White House cybersecurity leadership. At a press briefing ahead of the RSA Conference in San Francisco, she said: “There are a lot of people who would like to work in the National Security Council on cyber.”
Well yes. So get them in, presuming they know something about cybersecurity. In the meantime, the headless strategy effort makes it look as if the U.S. is only slightly concerned about cyber.
Agency cybersecurity operators, while keeping an eye on developments at the national policy level, are mainly concerned with their own day-to-day affairs. Federal networks are no less safe today than they were last week, or will be when Joyce actually departs in a month.
But without a convener at the White House level, there’s less coordination, less cohesion, less feeling that cybersecurity is in fact a super-important function.
Bossert commented recently that good cyber strategy is always in flux, responding to changing conditions. If so, that heightens the importance of having someone looking at the big picture, making sure the strategies and tactics stay aligned with the goals. I see an analogy in Metro. A fire on the tracks here, a fire on the tracks there. Crews respond. Trains roll again when the smoke clear. But someone has to combine the data and formulate a strategy for the systemic problem.