Rather than lopping off a redundant layer of bureaucracy, two cyber policy veterans argue that the Trump administration has nixed the White House cybersecurity coordinator role without having a strategic plan for addressing the myriad issues that previous occupants of the post tried to tackle.
“When Howard Schmidt, Michael Daniel, or Rob Joyce spoke on cyber issues, the world paid attention,” retired Air Force Brigadier Gen. Gregory Touhill said in a statement.
Touhill, the former U.S. Chief Information Security Officer and senior Department of Homeland Security official, now with Cyxtera Federal Group, was referring to the three men who've held the position since 2009. Joyce recently resigned; Schmidt, who passed away last year, was President Obama's first cyber coordinator while Daniel held the post in Obama's second term.
Kiersten Todt, who ran Obama's Commission on Enhancing National Cybersecurity in 2016, noted in an interview that the commission called for investing the coordinator with even more authority in order to “ensure the individual responsible for cybersecurity has direct reporting to the president, given the importance of the issue to the national and economic security of our country.”
“Every administration comes in and tries to organize as they think will be most effective,” Todt said. “But I don't see a structure and organization in place to respond to the cybersecurity threats as we are seeing them.”
The problem predated the departure last week of Joyce, and previously of White House homeland security adviser Tom Bossert, she said, because both officials were given extensive duties beyond cyber by President Trump.
The White House confirmed this week that it wouldn't fill the coordinator role, a decision that rattled cyber policy circles.
As an example of the policy gap that will be exacerbated by elimination of the coordinator role, Todt pointed to the 2017 response to the Equifax hack that affected over 140 million Americans.
Federal authorities were dealing with severe hurricanes and the mass shooting in Las Vegas as the Equifax hack came to light, she recalled. “Equifax was put on the back burner, but there should've been a team of people working on that.”
“I'm concerned that we've eliminated a position without having a plan for dealing with the challenge,” Todt said. “We lost two very thoughtful and competent people in Bossert and Joyce.”
Todt, who is president and managing partner of risk management firm Liberty Group Ventures, mentioned challenges in areas like social media and said there “is an opportunity for thoughtful collaboration and policy around these issues between the industry and government. Industry has come to the table to discuss, the responsibility is now on the government to engage effectively.”
Moving forward, looking back
The White House is reportedly interviewing for the Bossert position, while cyber coordinator functions have been taken over by two directors within the National Security Council.
“Moving forward, these Senior Directors will coordinate cyber matters and policy. As they sit six feet apart from one another, they will be able to coordinate in real time,” an NSC spokesman said in a statement.
But Touhill elaborated in his statement on the purpose and value of the cyber coordinator position, noting that it was created with an eye toward extensive engagement across government as well as internationally, and with the private sector and other entities.
“The cybersecurity coordinator position was created in 2009, culminating efforts launched during the Clinton and Bush administrations to address growing cyber threats to critical infrastructure, which could potentially jeopardize national security and national prosperity,” Touhill said.
“The position was created to coordinate interagency cybersecurity policy development and implementation and to coordinate engagement with federal, state, local international and private sector cybersecurity partners,” he added. “The position also became a critical and invaluable cybersecurity leadership position inside and outside of the U.S. government.”
Touhill explained: “The White House cybersecurity coordinator did more than just coordinating development of national cyber policy, representing the U.S. at national and multilateral discussions about cybersecurity, chairing the Vulnerability Equities Process (which governs whether and how 'zero day' vulnerabilities discovered by the U.S. government are disclosed) as well as the Unified Coordination Group and Cyber Response Group processes as spelled out in the National Cyber Incident Response Plan and PPD-41.”
He concluded: “How these vital duties will be executed now is unclear -- and troubling."
Todt added that overall, “we're lacking a White House strategy on cybersecurity -- not a PowerPoint, a strategy. The White House has to endorse and drive the strategy.” -- Charlie Mitchell (cmitchell@iwpnews.com)