‘Time is not on our side’ — Biden navigates cyber attacks without a cyber czar

Turf wars and political battles are keeping open a role that Congress created and is demanding be filled.

The Biden White House is facing multiple cyber attacks and cyber espionage campaigns targeting U.S. companies and government agencies, without the services of a cybersecurity czar to coordinate a response and keep lawmakers in the loop.

The role, known officially as the national cyber director, remains unfilled two months into Joe Biden’s presidency despite a legal mandate that it be occupied. Congress had ordered the creation of the post in a defense bill it enacted late last year over then-President Donald Trump’s veto. And they expected the Biden White House to act quickly on it.

But nearly a dozen current and former officials familiar with the deliberations say that it has been the casualty of classic Washington dramas: executive branch officials wary of legislators meddling in their business and government bureaucrats trying to fend off potential colleagues from encroaching on their perceived portfolios.

The failure to fill the role, which would be responsible for coordinating the entire U.S. government’s defensive cyber operations, comes as the new administration grapples with how to kick suspected Russian and Chinese hackers out of federal cyber infrastructure following two major breaches. And it lays bare the challenges in setting up a brand new agency that could encroach upon some power centers in the White House, particularly the National Security Council.

Sen. Angus King (I-Maine), who serves as co-chairman of the Cyberspace Solarium Commission — the body that successfully pushed for the inclusion of the National Cyber Director role in last year’s National Defense Authorization Act — said he was “frustrated” by the delay.

“It’s like we are in conflict and they are not appointing the secretary of defense,” he said. “I would hate to have another attack occur in the next 30-60 days and still not have anyone in that position.”

The White House has indicated to lawmakers that it will send their conclusions to Congress next week, King said. But it’s still not clear when they will nominate a director, who will need to go through a potentially lengthy Senate confirmation process. Further complicating matters is that Congress has yet to fund the NCD office, making it difficult for the White House to plan out how it will be structured.

“They’re taking way too long, and while conducting this review they have not nominated someone,” said Mark Montgomery, a senior adviser to the Cyberspace Solarium Commission and senior fellow at Foundation for the Defense of Democracies. “So they are very much slowing down the development of the NCD office.”

Montgomery said he believes one reason for the delay is that the administration is “underwater” with responding to Russia’s recent hack on SolarWinds — a company whose software is used by multiple federal agencies — and China’s breach of Microsoft Exchange servers, used by many local and state governments and private companies. “Things really are very bad,” he said.

In a statement, NSC spokesperson Emily Horne said the administration has been “working tirelessly to urgently make the necessary investments to effectively defend the nation against malicious cyber activity.”

She added: “We are in the midst of a thorough and whole-of-government 60 day review regarding Solar Winds lessons learned, which includes consideration of how the new federal National Cyber Director entity will be structured in light of these lessons learned. Like Congress, we are committed to the defense of the nation’s cybersecurity. We understand the intense interest in the outcome of this review. However, this work is too important to rush and we must get it right for the American people.”

Current and former officials involved in the talks, say they feel the White House has also been trying to buy time. Administration officials, including national security adviser Jake Sullivan, have been wary of the idea of a largely autonomous national cyber director role because of the power it would give to Congress in a key area of national security. The director would be Senate-confirmed and subject to congressional oversight. And, while primarily responsible for overseeing defensive operations, the office would also have visibility into sensitive offensive cyber actions coordinated by the NSC.

“I know they had those reservations initially, and I hope they’ve gotten over that,” King said, referring to the White House’s wariness of congressional involvement. “I’m sure Pericles would go home and bitch to his wife about the Athenian senate, but this is how our system works.”

Another major issue is turf — specifically, how to structure the position so that it doesn’t conflict with the Deputy National Security Advisory for Cyber and Emerging Technology Anne Nueberger, who is currently the senior-most adviser to the president on cyber issues.

“It is generally accepted that having a Deputy National Security Adviser for Cyber and an NCD both working out of the White House is something of a recipe for bureaucratic disaster,” said a former senior federal cyber official. “In that context, it’s reasonable to presume that any opposition to the appointment of an NCD is purely organizational, not personal.”

“I’m sure Pericles would go home and bitch to his wife about the Athenian senate, but this is how our system works.”

 Sen. Angus King

But personalities are, in fact, at play, said three people familiar with the dynamic. Neuberger has clashed in the past with the top candidate for the national cyber director role, Jen Easterly, who also headed cyber policy for the Biden transition team.

“They are like oil and water,” said one former national security official involved in the discussions, referring to Easterly and Neuberger. “They’re both professionals. But it is true that they do not get along.”

One recent source of tension was Neuberger’s decision to sideline a number of draft cybersecurity executive orders that were proposed by Easterly and her team during the transition, said the former official. Having shelved those options, the White House is now effectively starting over. For example, a draft executive order that would require software vendors experiencing a cyber breach to notify their federal government customers — first reported by Reuters and confirmed by POLITICO — is brand new, the former official said.

Proposals drafted by the Cyberspace Solarium Commission and provided to both Neuberger and Easterly early on in the administration did lay out a clearly-defined structure for the NCD office. One of the proposals, which have not been released publicly but were reviewed by POLITICO, said the entity would “complement, rather than duplicate” the functions already being undertaken by the NSC.

The office “will work closely with the Deputy National Security Advisory for Cyber and Emerging Technology in coordinating defensive operations under the [Cyber Response Group] with offensive operations under the NSC,” the proposal says.

Another document outlining the office’s structure, however, raises a potential conflict: “The National Cyber Director should be … the primary advisor on issues involving cyber, cybersecurity, federal information security, and associated emerging technologies” — a job description that, largely, is currently enjoyed by Neuberger.

Much of the problem the White House now faces with deconflicting the jobs stems from the fact the transition team did not think they would need or want a national cyber director, multiple people familiar with the situation said.

“The transition team imagined that they would have a coordinator role on the NSC that would restore the focus on cyber that had been lost when [former National Security Adviser] John Bolton did away with the position in 2018, and that that would be sufficient,” said a second former national security official involved in the discussions.

In fact, transition officials lobbied against congressional efforts to create and shape the cyber director position, said the former official and another person familiar with the Biden team’s efforts. The former official said the transition team “tried to kill” the national cyber director provision — inserted into the National Defense Authorization Act — altogether. The other person said the Biden team’s position was more nuanced; they did not necessarily oppose the creation of a cyber office, but did bristle at the idea of the director being Senate-confirmed.

“No administration wants to have a Senate-confirmed position inside the White House because it gives Congress some say in how the President organizes his staff and brings an obligation to testify, which other officials in the Office of the President do not do,” said Suzanne Spaulding, a former DHS Undersecretary for cybersecurity and infrastructure.

“Nevertheless, there are other confirmed positions within the White House staff and they seem to work fine,” she said. “More importantly, staff sizes within the NSC are extremely limited–basically a handful, at best, for any given issue.”

Recognizing the massive task at hand in coordinating a national cybersecurity strategy, kicking out hackers and protecting government agencies against future attack, the White House has begun to warm to the creation of the NCD office, people familiar with the deliberations said — particularly because the office will be able to access resources, review budgets, and build a staff of up to 75 people to implement a national strategy in a way the NSC can not.

But deconfliction is still an issue. One option now being explored is to have Neuberger serve in both roles, and be dual-hatted as deputy national security adviser and National Cyber Director, said two people familiar with the discussions.

King said he would be opposed to that structure. “To say you’re going to make someone a NSC senior staff person and the NCD — I don’t think that works. I hope they don’t do that.”

Wherever the White House lands on this, a decision needs to be made soon, experts said.

“The NCD is needed to work the day-to-day deconfliction and institutionalize plans for preventing and, when that fails, responding to the next crisis,” Spaudling said. “And the next crisis could be tomorrow, so time is not on our side.”

Designerzcentral