The widespread, sharply negative reaction to elimination of the White House cybersecurity coordinator position suggests that move -- undertaken at the behest of National Security Advisor John Bolton, reportedly -- was the low point in a week of cyber policy miscues.
The fumbles included last Friday's scrapped plan to release a botnet report that's expected to launch a critical new government-industry collaboration on cyber, and President Trump's curious moves in the case of Chinese telecom company ZTE.
The botnet report apparently has cleared Commerce Department review and is awaiting final signoff at the Department of Homeland Security, but all of that bureaucratic procedural minutia should've been cleared up by early last week, in time for a May 11 release.
About this feature:
'The Editor Reports' is a feature from Inside Cybersecurity intended to identify themes emerging from our news coverage and pose questions about the direction of evolving cybersecurity policies. Email comments to cmitchell@iwpnews.com.
It was to be the centerpiece of events -- including industry-planned gatherings -- marking the one-year anniversary of Trump's cyber executive order. “That was mostly a dog-and-pony show to package together reports that were already out, but it was pulled at the last minute,” commented one source privy to the internal machinations.
The release of the botnet report was also a casualty of the late confusion, the source explained.
“The botnet report is a matter of interagency coordination that took longer than expected,” the source said. “I don't think it's a fight over policy.”
The report should be out soon, according to sources, and government and industry representatives alike say the contents will be extremely useful in crafting next steps on policy toward botnets.
Meanwhile, Trump's tweets on ZTE appeared to kick aside significant policy undertakings aimed at a potential cybersecurity threat to the U.S. supply chain -- the company vigorously denies that charge -- in exchange for possible gains in trade negotiations with China.
This may mark the first time in the relatively short history of cyber policy that an identified cybersecurity risk was blatantly disregarded in exchange for achieving an unrelated policy goal.
Congressional Democrats are demanding more information on the ZTE risk, but Rep. Mike Conaway (R-TX) is arguing that the Trump tweets don't undermine his legislation to ban ZTE and Huawei from the federal supply chain.
And there was a robust discussion in the House Energy and Commerce Committee on Wednesday about whether singling out specific companies is the way to go on supply-chain security.
Wanted: coordination
The botnet report delay and the confusion over ZTE suggest why Presidents George W. Bush and Barack Obama both saw a need for an empowered, high-level cybersecurity coordinator with a direct line to the Oval Office.
Obama named the first coordinator, the late Howard Schmidt, a former Microsoft executive, but the idea germinated under Bush's cyber policy adviser Melissa Hathaway. Her seminal work on developing first-time policy structures around cyber was so well-received that Obama asked her to stay on into his administration.
Fast forward to 2018 and, with the departure of Robert Joyce from the coordinator role, Bolton has decided that the position amounts to redundant bureaucracy.
“The National Security Council’s cyber office already has two very capable Senior Directors,” NSC spokesman Robert Palladino said in a statement. “Moving forward, these Senior Directors will coordinate cyber matters and policy. As they sit six feet apart from one another, they will be able to coordinate in real time. Yesterday’s actions continue an effort to empower National Security Council Senior Directors. Streamlining management will improve efficiency, reduce bureaucracy and increase accountability."
That assertion hasn't landed well within the cyber policy community.
Retired Air Force Brigadier Gen. Gregory Touhill, the former U.S. Chief Information Security Officer and senior DHS official, now with Cyxtera Federal Group, issued a statement saying: “This is a curious move given that cybersecurity threats are more prevalent than ever with a corresponding escalation in risks to national security and general economic prosperity. At a time when the private sector is prioritizing cyber concerns, it appears the government is not.”
Touhill explained: “The White House cybersecurity coordinator did more than just coordinating development of national cyber policy, representing the U.S. at national and multilateral discussions about cybersecurity, chairing the Vulnerability Equities Process (which governs whether and how 'zero day' vulnerabilities discovered by the U.S. government are disclosed) as well as the Unified Coordination Group and Cyber Response Group processes as spelled out in the National Cyber Incident Response Plan and PPD-41.”
He continued: “How these vital duties will be executed now is unclear -- and troubling."
Other negative responses have come quickly from industry insiders, Capitol Hill and other former federal officials.
But Touhill, with his unique vantage point, summed it up well.
“In the past year and half, three senior U.S. government cybersecurity positions have been eliminated or left unfilled: the U.S. Chief Information Security Officer, the State Department’s Cyber Coordinator, and now the White House Cybersecurity Coordinator,” Touhill said. “It prompts the question: who now is the leader in driving US government cyber policy and synchronizing its execution?” -- Charlie Mitchell, editor, Inside Cybersecurity