The Foundation for Defense of Democracies spells out “five urgent tasks” for new National Cyber Director Sean Cairncross to tackle in order to revitalize U.S. cybersecurity policy, starting with positioning his office as the government’s central coordinator on cyber as proposed in a landmark 2020 FDD report.
“As two of the leading advocates for the creation of ONCD as envisioned by the congressionally mandated Cyberspace Solarium Commission, we acknowledge that the office has not performed up to expectations, especially with regard to making federal cyber policy coherent,” FDD’s Mark Montgomery and Annie Fixler write in an Aug. 28 “insight.”
“This is due to the difficulty of the job as well as tensions and turf wars within the Executive Office of the President that previously limited ONCD’s role. Looking ahead, Cairncross must shed this baggage to accomplish five hard tasks,” they write.
Fixler is the director of FDD’s Center on Cyber and Technology Innovation. Montgomery, a retired rear admiral, was executive director of the Cyberspace Solarium Commission, which proposed the creation of the Office of the National Cyber Director in 2020, and leads the current iteration, CSC 2.0, housed at FDD.
“Director Cairncross strikes me as having the most important attributes needed to move ONCD on to its next level - - interagency skills, proven agency management, and relationships with other administration leaders,” Montgomery told Inside Cybersecurity following a 59-35 Senate vote on Aug. 2 to confirm Cairncross.
According to FDD’s new posting, Cairncross should prioritize efforts to:
- Solidify ONCD as coordinator for U.S. cybersecurity policy.
- Improve the cyber resilience of America’s most critical infrastructure.
- Ensure the federal government performs as a reliable partner for the private sector.
- Streamline the cyber incident response process to better support critical infrastructure.
- Plan now for the worst adversarial cyberattack to ensure continuity of the economy.
Montgomery and Fixler write, “By statute, the national cyber director is the president’s principal cybersecurity adviser. The office has suffered, however, from turf battles with the National Security Council and federal agencies that refused to align budgets and priorities with ONCD’s directions, limiting its effectiveness at coordinating national cyber policy.”
However, they say, “With the current NSC Cyber team focusing on the enormous and growing challenge of crafting America’s offensive cyber strategy, ONCD now has greater latitude to lead everything else.”
“To get the interagency to play ball, and tackle the other issues outlined below,” they say, “ONCD will need strong relationships. To support the new tasks the office takes on, Cairncross must prioritize rebuilding ONCD’s staff. The law creating the office authorized employing up to 75 people, but the office is less than half staffed after Biden administration political appointees stepped down and detailees returned to their home agencies.”
On infrastructure security, the FDD authors write, “Though previous administrations have attempted to identify the most critical of the critical, these efforts were incomplete and none of these efforts included the benefits and burdens necessary to make this list meaningful.”
Now, they say, “ONCD should identify America’s most important infrastructure assets, work to provide them with improved intelligence support and threat warning so they can protect their own systems, and require these companies to rapidly identify and mitigate risks to their reliable operation.”
FDD stresses, “ONCD’s primary focus must be on the assets that support our national security -- especially our military mobility and our economic productivity -- as adversaries are already infiltrating these infrastructures to put U.S. national security at risk.”
On incident response, Montgomery and Fixler call for updating the “decade-old policy document” known as PPD-41 to “do at least four things:”
1) place ONCD at the helm of a regular cyber-response group that brings together agency leads to monitor and communicate about cyber incidents;
2) designate the Cybersecurity and Infrastructure Security Agency as the “cyber incident 911” and director of asset response;
3) establish a framework for effective communication with private companies and international partners; and
4) direct the National Guard to develop comprehensive nationwide cyber response capabilities.
And on continuity of the economy, or COTE, they say, “While the Biden administration recognized the importance of being ready for a worst-case cyber or physical disruption of critical infrastructure, it failed to bring federal agencies together to launch planning and conduct exercises to ensure the continuity of the economy after a very bad day.”
Montgomery and Fixler say, “ONCD should align federal disaster policies to address continuity of the economy scenarios, develop detailed recovery plans, use tabletop simulations and exercises to test these plans, and reassess and correct based on the results. The adversary is ready to impose a worst day on the United States, and the federal government is not postured to respond.”
They write, “ONCD, however, has the unique remit to address this glaring gap.”
The fiscal 2021 National Defense Authorization Act directed the president to develop a continuity of economy plan but FDD criticized the recommendations delivered to Congress in 2023, arguing that the final product failed to determine how to improve existing policies or frameworks relevant to COTE planning. -- Charlie Mitchell (cmitchell@iwpnews.com)