In the weeks leading up to President Joe Biden’s inauguration through the early days of his term, nominations of cybersecurity officials filtered out at a remarkable rate.
That fact, combined with a commitment to investigate the SolarWind attack, provides some reassurance that the federal government might prioritize cybersecurity and coordination with the private sector more under Biden than the Trump administration.
“Personnel means resources and focus,” said Kelvin Coleman, executive director of the National Cyber Security Alliance, a public/private partnership promoting cybersecurity. “If I’m a chief information security officer, I’m a bit more confident that we’ve gone from debating whether or not cybersecurity is an issue to discussing how to mitigate the issue.”
The roster of nominations noteworthy. Anne Neuberger, head of the National Security Agency's Cybersecurity Directorate, was chosen as deputy national security adviser for cyber and emerging technology – a completely new position. He also staffed the National Security Council with Michael Sulmeyer, former director of the Cyber Project at Harvard's Belfer Center, who will serve as senior director for cyber; and former assistant secretary for infrastructure protection with the Department of Homeland Security, Caitlin Durkovich, as senior director for resilience and response.
Former deputy secretary at the Energy Department and White House coordinator for defense policy, countering weapons of mass destruction, and arms control, Elizabeth Sherwood-Randall, was named homeland security adviser. And Russ Travers, former deputy director of the National Counterterrorism Center, was nominated as her deputy.
And before the election, Biden announced new Secretary of Homeland Security Alejandro Mayorkas, who had a background in cybersecurity and other security matters at the Department of Homeland Security.
Congressional staff and former government and intelligence officials focused on cybersecurity believe the speed at which Biden is assembling his cyber team is the result of a number of factors, including his philosophy of a government that hits the ground running, a confluence of new positions available to the president and an understanding the issue has become more urgent. It adds up to a president meeting an unprecedented threat to the public and private sector with the largest and most qualified executive team a president has ever assembled.
“This is the first administration which is really cyber-savvy right from the start,” said Jay Healey, former White House director of infrastructure protection and current senior researcher at Columbia University’s School of International Policy and Affairs via email. "In my time in Bush 44, there were so few cyber-policy professionals; I was hired even though I had voted Democrat. Obama had more, but still limited choices (and positions to fill). Eight years later, Trump did not take advantage of the growing talent, ruling out talented never-Trump Republicans and non-partisan technocrats. Now, Biden can take advantage of the largest pool of talent, many of whom were last in government only four years ago.”
On a structural level, Biden has been able to appoint more cybersecurity-related positions in the early days of his presidency than other presidents because there are more of those positions to fill than ever before. The National Defense Authorization Act, which passed less than a month ago, created a new national cyber director position that Biden is expected to fill with former NSA and Morgan Stanley official Jen Easterly. Biden is also expected to name Rob Silvers to head the Cybersecurity and Infrastructure Security Agency in the near future, which only became a full agency of the Department of Homeland Security midway through Trump's tenure.
At the same time, the early rush to staff these roles, everyone who spoke to SC Media agrees, is the logical result of the evolving threat – not a pet project or a response to a single incident (like the recent Sunburst campaign).
“It’s been a top issue in the director of national intelligence threat assessment for the past five years,” said Jonathan Reiber, director of cybersecurity strategy and policy at AttackIQ, and former chief strategy officer in cybersecurity at the Office of the Secretary of Defense. “We are long overdue to have a president who focuses this much on the issue.”
And while Biden named cybersecurity personnel at a breakneck pace, the same could be said for other roles across the federal government. This seems remarkable after an administration functioned largely on acting directors and streamlined leadership.
“You see appointments across the board. I don’t think cybersecurity is out of whack with other priorities," said Michael Daniel, former White House Cybersecurity Coordinator and current president and chief executive of the industry threat sharing group Cyber Threat Alliance. "What Biden is prioritizing is the ability to govern.”
The way Donald Trump organized government, structure was less important than agility. Several cybersecurity posts were eliminated – including the top cybersecurity diplomat in the state department and the White House cybersecurity coordinator. Those duties transferred to other existing positions. Agencies were given a lot of autonomy without a White House higher up to deconflict all their moves.
The quick reintroduction of an organizational structure has a lot of advantages, both for governments and the people they serve. There’s more guaranteed focus on issues, and cybersecurity won’t get lost in the shuffle of a White House immediately focused on COVID-19, for example.
“I have a hopeful sense that customer service can now be more of a priority for the team.” said Phillip Reitinger, former deputy undersecretary in charge of the National Protection and Programs Directorate – what would eventually be reconfigured into CISA – and director of the National Cybersecurity Center. Reitinger currently serves as president and chief executive of the Global Cyber Alliance.
Reitinger added that even with a fast start, it will take time to see how a culture of interagency coordination develops between the personnel.
Key to that process is the new national cyber director. The position was developed by the bipartisan Cyber Solarium Commission and intended to oversee the executive branch’s cyber strategy.
The newness of the position makes it hard to clearly define its role in the process. Go too far in one direction, noted Daniel, and the position might usurp CISA.
Given the loose boundaries of the NCD, AttackIQ’s Reiber said he hoped it might develop, in part, to be an "Anthony Fauci”-type trusted face of government cybersecurity efforts and best practices to the public.
He said Jen Easterly, currently considered the frontrunner for the job, could make for that steady and competent voice (“One of the most talented security professionals that I know,” said Reiber). Easterly is a former NSA official who now heads Morgan Stanley’s efforts for resilience.
The appointments and presumed future appointments draw heavily from people with public sector experience, a move that has been criticized by some as lacking the nuances of the private sector. Reiber rejects that criticism, pointing out that many of the appointments from departments like Energy and Homeland Security experienced deep working relationships with the private sector.
In Easterly’s case, said Daniel, it makes perfect sense to hire someone familiar with the inner workings of the federal government.
“Setting up a new government office is not like setting up a new business,” he said.