Russian Cyber Swipes Expose U.S. Leadership Gap
Biden's new cyber czar slot threatens to add confusion to the top
Sometime in early June, the Senate Homeland Security and Governmental Affairs Committee will hold the nomination hearings for two senior Biden Administration cyber appointees: Jen Easterly for the DHS Cybersecurity and Infrastructure Agency (CISA), and former NSA Deputy Director Chris Inglis for the new National Cyber Director (NCD) position. Both are well respected and very competent. Both will be appearing before a very supportive committee. Both are likely to pass through fairly easily.
And Congress needs to move fast. We simply cannot afford to be without cyber leadership amid unrelenting foreign attacks. The last several months have presented the Biden Administration and the American public with a litany of increasingly large cyber “break ins,” like 2020’s Solar Winds and this week’s revelation that Russian intelligence broke into 3,000 email accounts of over 150 non-profit and government organizations. Add to this the unprecedented cyber ransom of one of the largest oil pipelines in the United States; literally stopping the flow of oil on the East Coast and causing the first gas station lines since the Arab Oil embargoes of the 1970’s. Enough is enough.
Comprehensive action, coordinated, and imposed across public and private sectors is urgently needed from the top. Executive orders on cyber security—affecting mostly the federal government—and the DHS’s energy industry-focused cyber regulations are stop gaps at best.
The role of heading CISA is continuing to be defined, but has begun to form as the domestic go-to point for cyber concerns. However, the newly created role of the NCD is still ambiguous and its road to relevance paved with bureaucratic landmines. So, speaking as an old Hill “rat,” while it is always dangerous to tell the Congress what to do under any circumstance, allow me to lay out some thoughts about the kinds of pertinent questions that need to be considered as Inglis’ hearings roll forward.
The Three Bigs
There are three overarching issues that should be dealt with by the Committee: 1) What is a National Cyber Director? 2) What does an NCD do? 3) Who is this NCD in relation to his colleagues?
In the world of D.C., there is the written law and the spirit of the law. The latter reflects how the law is really enforced—and it can differ a lot from the original intent. So, the question stands, what is a National Cyber Director and how does the Joe Biden administration view the “spirit” of that position?
By law, the NCD is supposed to be a cabinet-level position. So does this mean the NCD sits in on all the executive meetings or some of the meetings where he is considered “relevant”? And who determines that relevance?
The law wants him to be the senior cyber person in the U.S. government. That seems to imply some form of control over both domestic and civilian sides of government. For example, the U.S. Trade Representative office has a senior position on trade issues for the U.S., in contrast to the Office of National Drug Control Policy, where the “drug czar” is more of an advisory position.
Which is the NCD?
As Cuba Gooding, Jr. screamed into his phone in Jerry Maguire—show me the money. This is a crucial, power building point for the NCD. Is this "czar" a coordinating person only, or does the NCD have access from the Office of Management and Budget to government-wide money and programs to take part in producing the president’s budget? If so, that will put Inglis in an interesting position: Will he be in charge of coordinating cyber budget, program, and manpower between the defense and the civilian sector?
Also, does his position mean the NCD is going to lay out policy guidance and directives (“thou shalt do this”) to CISA, NIST (the National Institute of Standards and Technology) and myriad other alphabet agencies? And will Inglis be proposing laws about cyber to all the other stakeholders in the sprawling U.S. critical infrastructure world? In other words, is Biden giving him a whip to tame the wild cyberspace going forward? We don’t know.
Finally, a sensitive question has to be asked: Who are you, really?
The personnel now involved with cyber at the highest levels of government all come from the NSA, our top code-breaking and electronic spying agency. That’s where the expertise has resided, and so be it; no one can say any of these people are less than superbly qualified in the U.S. government level cyber arena.
However, today’s national emergency lifts them to the highest policy and political levels. Their political pressures and access to power will be vastly different than, say, four years ago. How is Inglis going to deal with the White House National Security Council and a deputy national security advisor for cyber, Anne Neuberger, who served under him at the NSA but now looks to be higher in the food chain?
And, an even more difficult question to be answered: Inglis, Neuberger, and Jen Easterly (head of the DHS Cybersecurity and Infrastructure Security Agency) all served at NSA. How do they avoid groupthink coming from such a unique culture?
Meanwhile only Easterly, who retired as an army lieutenant colonel with years of both D.C. and battlefield intelligence chops, has some deep private sector experience. The others don’t. How will this team fare with this overall lack of intimate, corporate-world familiarity given that more than 80 percent of the Internet is in private hands, motivated by profit, and not happy about taking on additional regulatory expenses because the government tells them so?
As a citizen, I wish nothing but the best for the Biden cyber team. America is being humiliated, embarrassed, and compromised under the current system. This simply cannot stand. Congress needs to move these people into their new jobs pronto—but not before asking the right questions and getting the right answers from them. We simply cannot afford anything less.
Former CIA official Ronald Marks was intelligence counsel to two Senate majority leaders. Now an IT executive, he is also a visiting professor at George Mason University.