The move would ensure cybersecurity is a priority for the White House by giving someone with a 24/7 focus on the topic direct access to the president. The director would advise the president on all issues related to cybersecurity and help coordinate the government response to major digital attacks and diplomatic efforts related to cybersecurity.
“It is abundantly clear the country needs someone in charge of cybersecurity at the highest levels of government,” said Rep. Jim Langevin (D-R.I.), co-founder of the congressional cybersecurity caucus who has spent years advocating for such a position.
The cyber director would be one of a handful of White House officials that require confirmation by the Senate.
That would give the position extra heft in trying to impose the White House’s vision for cybersecurity on other departments and agencies.
This will be especially important following the Trump administration. While it’s generally credited with good progress on improving the cybersecurity of government and industry, different parts of the government often worked at cross purposes from each other.
The administration’s efforts were also regularly undermined by Trump himself who expressed doubt about intelligence agencies’ conclusions Russia interference in the 2016 election, publicly mulled backing away from harsh measures to rein in the Chinese telecom Huawei and fired the nation’s top election security official weeks after the presidential election.
Michael Daniel, who was cyber coordinator during the Obama administration, noted that “coordination was not the Trump administration’s song suit.” “If you look at agencies during the Trump administration, they’ve improved on cybersecurity … but what’s been atrophying is the coordinating function,” said Daniel who now leads the Cyber Threat Alliance industry group.
“My philosophy of management is if you have sloppy structure, you’re going to have sloppy policy,” said Sen. Angus King (I-Maine), co-chair of the Cyber Solarium Commission, a congressionally-led panel that recommended a broad overhaul for how the government manages cybersecurity and made creating the cyber director position one of its top priorities. “We have really good (cybersecurity) silos in government, but they’re still silos. That’s why this position is so important.”
Chatter about who might fill the role has focused mostly on people with deep experience in government cybersecurity operations.
Solarium Commission co-chair Rep. Michael Gallagher (R-Wis.) suggested other commission members to fill the role — including Suzanne Spaulding, who led Department of Homeland Security cybersecurity operations during the Obama administration, and Chris Inglis, former deputy director of the National Security Agency.
“They’re ideally positioned to serve in that role having distinguished themselves in their careers including in their commitment to the Solarium Commission and also for taking a bipartisan or nonpartisan approach,” Gallagher told me.
Gallagher also rattled off a series of other names of people who’d assisted the commission who he said should be considered, including Jen Easterly, who’s served in the White House and intelligence community and now works on cybersecurity for the investment firm Morgan Stanley, Lisa Monaco who was Homeland Security Adviser to Obama and is now a partner at the law firm O’Melveny and Laura Rosenberger who worked in the State Department and White House and is now director of the Alliance for Securing Democracy at The German Marshall Fund.
Daniel told me he’d be “open to it if that is something that President-elect Biden would be interested in” but stressed that “it would be up to the administration.”
King declined to suggest any names for the position but, when I told him Gallagher had recommended Spaulding and Inglis, he said “I certainly wouldn’t object to either of them.”
The Biden campaign didn’t respond to a query about possible appointments for the role.
Solarium members drafted the legislation that created the new position and that was later included in the National Defense Authorization Act, or NDAA, an annual defense policy bill.
That bill is almost guaranteed to pass the House and Senate but may get hung up at the White House. Trump has threatened to veto the bill because it doesn’t include provisions that remove the legal shield prized by social media companies, which he says are biased against him and other conservatives. If Republicans hold their ground, Trump could face the first veto override of his presidency on the must-pass military operations bill.
Some other lawmakers, meanwhile, are skeptical the cyber director can be as powerful as they’d like.
Sen. Mark R. Warner (D-Va.) fretted that the position may not be effective unless the person who holds it can successfully impose his or her will on other government agencies.
“It depends on who the person is and how much actual power will come with that,” he said during a panel discussion at the Aspen Institute Cyber Summit.
Rep. Will Hurd (R-Texas), a top cybersecurity and technology policymaker who’s retiring from Congress, agreed. “I fear that if you have one centralized place it will just take the responsibility off everyone else to be focused on this — unless that person is going to really snap the whip and make sure everyone else is doing their part,” he said during the same discussion.
Gallagher told me he shares some of those concerns. But he thinks the director will have all the necessary authority provided that person has a strong relationship with the president and can martial the force of the White House behind him or her.
That’s also essentially true for the influence of even top cabinet positions such as the secretaries of State and Defense, he noted.
“What will matter is if the person is close enough to the president and has the president’s trust,” he said.
The keys
The NDAA is also chock full of other cybersecurity provisions.
- Grant the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency subpoena power to force Internet companies to share the names of organizations that are vulnerable to hacking.
- Create positions for federally funded cyber coordinators in every state who would be responsible for developing better cyber threat plans and improving cybersecurity information sharing with the private sector.
- Give the National Guard a larger role in working with federal and state agencies to address cyberattacks.
The Cybersecurity and Infrastructure Security Agency “stands by” a statement that got its former director fired, the acting chief says.
Brandon Wales told the Aspen Cyber Summit that CISA isn’t backing away from the statement that declared that the November election wasn’t marred by hacking.
But he also stressed the statement didn’t directly address fraud concerns raised by Trump and his allies, and that the statement was made jointly with state election officials and the Election Assistance Commission.
Trump fired former CISA director Chris Krebs by tweet soon after the statement was released last month, calling it “highly inaccurate” and claiming without evidence that there were “massive improprieties and fraud” during the election. Attorney General William P. Barr has said he has not found sufficient evidence of fraud to doubt the election results, Wales noted.
Wales also pledged that a CISA rumor control page that drew Trump’s ire will remain in operation through two Jan. 5 runoffs in Georgia that could determine control of the Senate.
“What I’ve told our staff is our election security mission…will continue until all the elections are complete,” he said. “We’ll keep issuing rumor control entries as the situation warrants.”
Wales declines to endorse the idea of a rumor control effort around the forthcoming covid vaccines. That’s something Krebs had speculated about before his firing. Wales said other organizations in and out of government might be more trusted voices when it comes to vaccines.
The U.S. government used a controversial surveillance program to secretly collect logs of website visitors.
The new disclosures could complicate debate over renewing Section 215 of the Patriot Act, a controversial provision that allowed intelligence officers to collect the data. Congress failed to renew the provision in March but is likely to begin debating it again during the Biden administration.
The Office of the Director of National Intelligence acknowledged the previously undisclosed practice in response to a request from the office of Sen. Ron Wyden (D-Ore.). The government does not collect searches that people make within websites because it consider the information content that requires a warrant, the ODNI told Wyden.
Wyden has called to exclude Internet browsing and search data from the program’s purview. The disclosure raises “all kinds of new questions, including whether, in this particular case, the government has taken steps to avoid collecting Americans’ web browsing information,” Wyden told the Times.
Privacy advocates also pointed to the revelation as another reason for reform. “Our web-browsing records are windows into some of the most sensitive information about our lives — revealing everything from our political views to potential medical conditions,” said Patrick J. Toomey, a senior staff attorney with the ACLU’s National Security Project. “If Congress considers reviving Section 215 at all, it must prohibit the government from abusing this surveillance law to track the web-browsing activities of people in the United States.”
The United States sent cyber operatives to Estonia before November’s election to observe Russian hackers.
The deployment was one of several the United States launched ahead of the election to sniff out tactics that state-sponsored hackers might be testing out before hitting U.S. targets, Julian E. Barnes at the New York Times reports.
The cooperation with Estonia allowed U.S. Cyber Command to learn more about attacks against Estonia and compare them to attacks Moscow used against the United States, said Brig. Gen. William J. Hartman, commander of the Cyber National Mission Force.
Estonia, which is often seen as a testing ground for Russian hackers, has become more aggressive about sharing threat intelligence with the United States and other world partners.
Global cyberspace
The United States added China’s biggest chipmaker to its trade blacklist.
The Department of Defense designated four companies including major chipmaker Semiconductor Manufacturing International Corporation (SMIC) to a list of companies that are allegedly tied to the Chinese military, Alexandra Alper and Humeyra Pamuk at Reuters report.
The ban will likely escalate trade tensions between the United States and China as Trump nears the end of his term. While the United States owns most of the world’s chipmaking technology, it significantly lags China in production — an imbalance it’s sought to address through a variety of trade maneuvers.
Chat room
Will Chris Krebs be the next Cameo star?
Daybook
- The Atlantic Council will hold an event on the incoming U.S. administration and the future of supply chains in the Americas on Dec. 9 at 2 p.m.