The National Defense Authorization Act of 2021 created the position of national cyber director to serve as the principal adviser to the president on cybersecurity policy and strategy. In the wake of the suspected widescale Russian cyberattack against the government and private sector, the position takes on even more importance.
In addition to serving as the coordinator of federal cybersecurity strategy, the person the Biden administration chooses for the role (which requires Senate confirmation) will need to work with other key advisers and government agencies.
However, the immediate task at hand will be managing the response to the attack, which the government is still investigating. William Evanina, director of the National Counterintelligence and Security Center, said on Jan. 12 that the number of agencies and private sector companies affected by the attack will likely continue to grow, according to FCW.
“Once this individual is appointed and confirmed, this would be the individual who is coordinating the response,” Rep. Jim Langevin, one of the members of Congress who was deeply involved in getting the position created, tells The Hill.
REGISTER: Sign up for free to hear cybersecurity expert Theresa Payton discuss today's pressing IT security challenges.
What Will the National Cyber Director Do?
The national cyber director will have many responsibilities. According to the statute, this person will be the main adviser and coordinator for information security and data protection, programs and policies intended to improve the U.S. cybersecurity posture, and efforts to understand and deter malicious cyber activity.
The person will also be in charge of efforts to enhance the security of IT services and promote national supply chain risk management and vendor security. That is of particular importance since the Russian hack came through the software supply chain.
Additionally, the national cyber director will be responsible for “diplomatic and other efforts to develop norms and international consensus around responsible state behavior in cyber-space,” according to the law, as well as initiatives around “awareness and adoption of emerging technology that may enhance, augment, or degrade the cybersecurity posture of the United States.”
Practically, job No. 1 will be responding to the Russian attack. As The Hill reports, “the Commerce, Defense, Energy, Homeland Security, Justice, State, and Treasury departments have all said they were compromised by the hack.”
“Rather than response being ad hoc and figuring out as we go, you’d have someone who has a well thought out plan for a thorough and aggressive response, and we would be much more effective,” Langevin tells The Hill about the role the cyber director will have in responding to the attack.
The law calls for the national cyber director to “lead coordination of the development and ensuring implementation by the Federal Government of integrated incident response to cyberattacks and cyber campaigns of significant consequence.” Those efforts include establishing with relevant agencies “operational plans, processes, and playbooks” for incident response, including the integration of defensive and offensive cyber plans and capabilities.
Experts argue that even before the national cyber director is confirmed by the Senate, the Biden administration should start adding staff to the director’s office. “The staffing effort should balance all available hiring authorities — to bring in personnel from outside the government — and specify which departments and agencies can offer detailees to the office in order to efficiently build its 75-member staff,” Mark Montgomery, senior director of the Center on Cyber and Technology Innovation, and Robert Morgus, a senior director for the U.S. Cyberspace Solarium Commission, write in War on the Rocks. “The goal should be to have the office up and initially functioning with 25 staffers by March 1 and fully functioning with 75 personnel by May 1.”
How Will the National Cyber Director Work with CISA and Others?
The national cyber director will need to work effectively with other relevant players and agencies in the federal cyber realm, Montgomery and Morgus argue. That includes the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which also needs a new permanent director.
“This is important not only to establish the national cyber director’s role as the implementer of the president’s national cyber policy, but also to gain a better understanding of where each relevant department and agency currently sits with regard to cyber priorities and capabilities,” they write.
According to the law, the cyber director is to “coordinate” with the attorney general, the federal CIO, the director of the Office of Management and Budget, the director of national intelligence, and the director of CISA in order to streamline “Federal policies and guidelines” and “regulations relating to cybersecurity.”
“The bill does not specify the precise purpose of such ‘streamlining’ efforts, but it does refer in part to existing federal law concerning the information security practices of federal agencies,” Robert Chesney, a law professor at the University of Texas School of Law, writes on the Lawfare blog. “For most government agencies, CISA already performs the role of key overseer of their information security practices.”
The national cyber director is also in charge of efforts to “coordinate and consult with private sector leaders on cybersecurity and emerging technology issues in support of, and in coordination with” the director of CISA, the director of national intelligence and other appropriate federal agencies.
The national cyber director will also likely need to work with Anne Neuberger, the cybersecurity director at the National Security Agency, who will become the first deputy national security adviser for cyber and emerging technology on the National Security Council. How that arrangement will work, exactly, is up in the air.
Chris Painter, who was a State Department cyber coordinator in the Obama administration, tells The Washington Post that “there’s this real open question” about how the two roles will mesh. Painter tells the Post that if the national cyber director is someone who is too offense-minded when it comes to cybersecurity, that might tip the scales too much in favor of offensive cyber operations.
Megan Stifel, executive director for Americas at the nonprofit Global Cyber Alliance, tells the Post that someone who served at CISA or in the Commerce Department could balance the equation in the national cyber director role.
MORE FROM FEDTECH: How will the new administration impact federal IT?