Suzanne Spaulding is the senior adviser for homeland security at the Center for Strategic and International Studies. From 2013 to 2017, she was the undersecretary for cybersecurity and infrastructure at the Department of Homeland Security.
In February, Director of National Intelligence Daniel Coats deemed cyberwarfare the No. 1 threat to the United States. Yet this month, new national security adviser John Bolton decided to eliminate the cybersecurity coordinator position on the National Security Council. Bolton’s decision, justified as a move to “streamline” what is asserted to be a “core capability,” instead is likely to downgrade the priority of cybersecurity and leave top national security officials ill-equipped.
The cybersecurity coordinator position, as implemented in the Obama administration, was not perfect. But it provided an essential function on a vital national security issue. There is no evidence the situation has improved so dramatically in the past year and a half that this function is no longer needed. Coordination is important because individual departments and agencies can only do so much.
As the head of cybersecurity and critical infrastructure protection at the Department of Homeland Security, I was responsible for coordinating cybersecurity efforts for the civilian government and the private sector. Virtually every department has some role in these efforts. For example, I worked closely with the deputy secretary of energy and dozens of power company chief executives on plans to secure the electric grid. My team worked with the Treasury Department and other financial regulators on a series of exercises with senior executives from financial institutions to understand and mitigate consequences of cyber-disruption to critical financial services. Our incident response teams often included professionals from other agencies.
DHS used policy and statutory authority to provide guidance, binding operational directives, nationwide exercises and coordinated incident response. But we knew the limitations of one department “coordinating,” let alone directing, the efforts of sister departments. And it is not the role of DHS to develop a comprehensive strategy incorporating every lever available to the president.
A unified cybercapability, including offense and defense, requires White House leadership. Presidential Policy Directive 41, which clarified the roles of DHS, the FBI and the Office of the Director of National Intelligence in responding to significant cyber-incidents, could not have happened without the leadership of the White House cybersecurity coordinator. Moreover, an effective response to a major event or threat needs a senior official who can bring together all capabilities, offensive and defensive, public and private sector, and effectively tee up decisions for the president and the Cabinet. Delegating this responsibility to two relatively junior White House staffers and assuming they will be able to pull complex and massive elements of the government together in a unified strategy because “they sit six feet apart from one another,” as NSC spokesman Robert Palladino argued, is folly.
Instead, the two staffers likely will focus exclusively on the issues within their job descriptions. One is responsible for offensive cyber-activity and the other is not only charged with all defensive issues but also is dual-hatted as the federal chief information security officer — a full-time job itself. Senior directors are so overwhelmed and understaffed they can barely cover their own issues, let alone coordinate with other senior directors. Without a senior coordinator, the strands won’t come together before issues reach the desk of the national security adviser. Given the demands on that individual, the practical result will be that intractable or controversial issues will not be elevated for resolution, and progress will be stalled.
The NSC needs more coordination, not less. A criticism of the Obama administration’s NSC was that it did not adequately coordinate across the cyber, resilience and critical infrastructure offices. At DHS, we understood the growing convergence between physical and cyberthreats. As insurers are beginning to recognize, assessing cyber-risks requires learning lessons from business disruption caused by non-cyberthreats such as hurricanes. Continuing essential business or mission functions in the face of an incident may be the most important element of an effective cyberstrategy.
A strong homeland security and counterterrorism adviser could take on some of the cyber-coordination function, but that position is empty and may also be on the chopping block. Coordinating the response to a significant cyberthreat or incident today will likely fall to the national security adviser. For a national security adviser with extensive background and experience in cybersecurity, this might be doable, assuming no other pressing national security issues. For this national security adviser, during this time of global insecurity and dramatic initiatives on multiple fronts, this is a recipe for disaster.
In releasing the Department of Homeland Security’s Cybersecurity Strategy last week, Secretary Kirstjen Nielsen stated, “The cyber threat landscape is shifting in real-time, and we have reached a historic turning point. Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.” Foreign adversaries are using the Internet to undermine our democratic institutions and critical infrastructure. This demands more attention and coordination, not less.