Incoming president Joe Biden will likely have a new post to fill: national cybersecurity director.
The final draft of the National Defense Authorization Act, one of the few true must-pass annual bills, contains a provision calling for a Senate-confirmed position to orchestrate cyber strategy and coordinate incident response. The position would, in theory, serve an important role in cooperative efforts between government and industry.
Though the president has threatened to veto the NDAA without revoking liability protections for social media – a controversial policy position even before holding the military hostage to accomplish it – the NDAA agreed to by Congressional negotiators would almost definitely survive the president’s pen. It authorizes the funding the military in 2021.
The national cybersecurity director language in the NDAA was based on the National Cybersecurity Director Act, first proposed by Rep. Jim Langevin, D-R.I. The role has been backed by the bipartisan Cyberspace Solarium Commission, and the Government Accountability Office described a position of its ilk as “urgently needed.”
“The inclusion of the National Cyber Director Act in this year’s [NDAA] brings us closer to establishing an overarching and more effective cyber strategy to protect the nation,” said Langevin in a statement. Langevin has been pushing for the executive branch to permanently create such a position since 2010.
The White House used to have a adviser devoted to cybersecurity, the White House cybersecurity coordinator. The position, last held by Rob Joyce, was abolished by then-Trump National Security Advisor John Bolton when he streamlined the National Security Council.
Until then, the coordinator post was widely viewed as a critical mechanism to keep the executive branch’s cybersecurity efforts working in concert, including offensive and defensive operations. Since it was deleted, bipartisan lawmakers have looked to get the post back.
At a panel Wednesday moderated by SC Media Editor-in-Chief Jill Aitoro, Rep. Mike Gallagher, R-Wis., said the Solarium determined “a national cyber director modeled after the U.S. Trade representative was the best option, or at least the least bad option,” to codify an executive branch position.
In previous interviews, including with SC Media, he has said that he generally opposes creating new bureaucracies. But given the importance of incorporating cybersecurity expertise into the Executive Branch, a cybersecurity director is the “least bureaucratic solution.” The other option, he said, creating a full Department of Cybersecurity was overkill.
Of course, the influence of any White House cyber position is dependent upon the president. Andy Grotto worked on cyber issues at the National Security Council under both President Obama and Trump and is now a William J. Perry International Security Fellow at Stanford’s Cyber Policy Center. He told SC Media in September: “The authority of a cybersecurity coordinator rests in the prestige of the office and the barriers between that office and the president. If the president didn’t want a cybersecurity coordinator, the president would ignore the one Congress created.”
The national cybersecurity director was not the only cybersecurity effort to make it into to NDAA, which included 25 other Solarium recommendations. Among the other provisions included is one that would provide subpoena power to the Homeland Security Department for tracking critical infrastructure vulnerabilities; another that would bolstering efforts to maintain a federal cybersecurity workforce; and others that would create various cyber-related agencies and studies.