AI Cyber Risks Are Testing the Office Built to Coordinate Them

AI models with increasingly sophisticated cyber capabilities are forcing a basic institutional question: Is the federal government prepared to help public and private actors anticipate and respond to the risks those models may create? A review of the administration’s whipsaw approach to AI-related cyber risks indicates that a component of that preparedness—the Office of the National Cyber Director (ONCD)—may not be fulfilling its intended purpose. More specifically, the ONCD does not seem to be leveraging its cyber expertise to inform and coordinate the executive branch’s response to emerging issues.

Though some cyber experts have dismissed panic over frontier models such as Anthropic’s Mythos and OpenAI’s ChatGPT 5.5 as premature and unjustified, several members of the Trump administration have determined that the threats posed by existing models warrant a proactive response. Treasury Secretary Scott Bessent in particular has pushed the Administration to take seriously the cyber capabilities of models like Anthropic's Mythos and OpenAI’s ChatGPT-5.5. 

The administration’s most concrete action was a draft executive order on cyber resilience and pre-deployment evaluation of sufficiently capable AI models. That order was pulled hours before a planned signing ceremony. Even so, the draft confirms that AI-enabled cyber risk has become a live White House concern. Among other provisions, the order directed several executive branch actors to exercise cyber-readiness authorities, including by deploying resources and expertise to private and public actors that may be especially susceptible to threats introduced by advanced AI models.

The episode raises a harder question than whether one executive order was well-conceived: whether the office Congress created to coordinate national cyber policy is structured to handle the cross-cutting risks that AI now presents.

The White House’s AI-Cyber Coordination Problem

Congress created the ONCD in 2021 to oversee the executive branch’s response to emerging cyber issues. Yet, it’s not clear this office was actually driving the administration’s response to Mythos and related AI-based cyber risks.

In early 2025, President Trump selected Sean Cairncross as the third director of ONCD. Cairncross’s profile differs markedly from his predecessors, Chris Inglis—a former commissioner on the U.S. Cyberspace Solarium Commission, a panel established to offer recommendations for maintaining and extending the nation’s cyber advantages—and Harry Coker, former executive director of the NSA and long-time CIA employee. Cairncross previously served in a variety of private and political leadership roles and lacked any prior cyber- or computer science-adjacent work history or education. Cairncross acknowledged that he lacked a “technical background in cyber,” when asked by Sen Gary Peters (D-Mich.) during his confirmation hearing. He instead pointed to his experience dealing with cyberattackers from the “user side” given that hackers had targeted some of the organizations he had been a part of. Nevertheless, he earned the endorsement of a range of cybersecurity professionals, including former Director Inglis. The Senate went on to confirm him by a wide margin.

Since taking office as director in August 2025, Cairncross has been asked to do more with slightly less. Though President Trump’s budget calls for maintaining the ONCD at 85 full-time employees, he would reduce its budget by $3 million. Yet, a range of existing and pending cyber priorities will demand more from the office. Cairncross must oversee the implementation administration’s recently released Cyber Strategy for America. This is a tall order. Notably, the strategy recognized that the portfolio of risks facing the nation warrant “a level of coordination, commitment, and political will never before marshalled against cyber threats.” Recent AI developments are only further complicating the threat portfolio.

Yet, fast forwarding to the recent executive order, reports indicate that Bessent, not Cairncross, backed a more aggressive cyber posture. According to Politico, Bessent’s advocacy for executive action on AI was spurred by his “concern [that] Cairncross was not moving swiftly enough to address potential risks to critical infrastructure and the financial system.” Cairncross’s reported opposition to a more aggressive response to cyber risks posed by frontier AI models is hard to square with previously announced policy stances.

That makes Cairncross’s reported hesitancy somewhat difficult to explain. The order’s provisions align with the sort of information exchange Cairncross endorsed during his confirmation process. In a written response to post-hearing questions, he proposed "ensuring that the government and the private sector have robust information exchange to illuminate the battlefield." He continued, "If confirmed, I look forward to identifying any barriers to this kind of collaboration and solutions to address them by facilitating trusted partnerships between the private sector and government."

The process only deepened the uncertainty over who was and is leading the administration’s AI-cyber response. Despite Bessent playing an “outsize role” in shaping the administration’s post-Mythos AI policy, the order is on the backburner. President Trump pulled the order at the last minute, which he reportedly did at the behest of David Sacks, the administration’s former AI and crypto czar, who claimed to be speaking on behalf of industry stakeholders. In the latest example of what Lawfare’s Alan Rozenshtein and I refer to as “Governance by Phone Call,” Sacks reportedly steered the president away from signing the order by highlighting two things: First, he flagged that labs are already collaborating with the federal government prior to the release of their models, as indicated by Anthropic partnering with selected government actors around its Mythos model and leading labs agreeing to testing of their models by the Center for AI Standards and Innovation. Second, Sacks warned that the order might slow the pace of U.S. innovation at a time when it is narrowly ahead of China in terms of AI development and diffusion.

One industry representative told Politico that the entire process surrounding the drafting and withdrawal of the order was “a mess.” Neither Cairncross, nor Bessent for that matter, received advance notice of the president's plan to postpone the order. However, several sources have conveyed that Cairncross is expected to lead the administration’s next steps. Cairncross overseeing such a significant policy matter may not generate broad support given earlier reporting that several officials and industry stakeholders worry he “lacks the expertise to lead on such a technically complex and emergent national security issue.”

The episode warrants scrutiny because it tests the premise behind the ONCD: that someone in the White House should be responsible for coordinating cyber policy when risks cut across agencies, sectors, and technical domains. AI-enabled cyber risk is exactly that sort of problem.

Why ONCD Was Built This Way

The best way to establish a one-stop shop for cyber policy across the executive branch has proven elusive. Early efforts to centralize cyber policy did not produce a durable White House coordinating function. President George W. Bush designated a single individual in the White House, the cybersecurity coordinator, to help manage cyber initiatives and responses. That arrangement continued under President Barack Obama until the position was eliminated in 2018 under the first Trump administration. The Cyberspace Solarium Commission responded to that void by making the case for a statutory solution in 2020. Congress responded by creating the ONCD. Jim Langevin (D-RI), who championed the creation of the office, explained what motivated his support:

Only within the White House can we cohesively develop and implement a truly whole-of-nation cyber strategy that is commensurate with the threats we face. By establishing a National Cyber Director with the policy and budgetary authority to reach across government, we can better address cybersecurity vulnerabilities and gaps holistically and prevent catastrophic cyber incidents

If ONCD is struggling to play that coordinating role, part of the explanation may lie in flaws with the office’s original design. As pointed out by John Costello and Mark Montgomery at the outset of the ONCD, the office's limited authority did not match the scale and scope of its mission. As they wrote in Lawfare, the legislation "confers the NCD with functions and responsibilities but few authorities independent of those already vested in the president." The effectiveness of the role instead "hinges on their proximity to—and the confidence of—the president they serve. This rings particularly true in the ability of any of these positions to influence policy." As a result, when a director lacks such proximity, the office may struggle to achieve its purpose. Changes to the authorities afforded to both the director and the office as a whole could reduce the odds of cyber policy being excessively shaped by relationships and personalities.

Practical Reforms

The president can take several steps to make ONCD a more effective source of timely and technically grounded advice. First, to the extent Cairncross’s limited technical experience is inhibiting the value of his advice, the President should invest more heavily in the Office so that it can recruit and retain experts that can fill in any technical gaps. The President may be willing to do so in light of recent evidence that cyber threats posed by AI will only continue to mount as Anthropic, OpenAI, and other labs continue to push the frontier. As mentioned above, the office features just 85 employees working with a smaller budget than in the prior administration.

Congress could also help strengthen the hand of the ONCD by revisiting the office’s statutory design. Doing so would require Congress to buck its usual approach of “taking a relatively light touch in dictating how presidents use their advisers,” to quote Costello and Montgomery.

That sort of statutory clarification would not be unprecedented. Under specific circumstances, Congress has given White House officials and offices more specific responsibilities when a policy domain requires sustained coordination across agencies. The U.S. Trade Representative (USTR) is a useful template.

Up through the 1950s, the State Department took the lead on trade negotiations. Congress wanted to reduce the extent to which foreign policy matters were steering trade decisions, so in 1962 it established the Special Representative for Trade Negotiations, which was housed in the Executive Office of the President. Later, Congress sought to elevate that role by allocating more funds to the position as well as expanding the role's legal authority. The Carter Administration further tinkered with the role--again expanding its duties, resources, and primary over other relevant stakeholders. By the end of the 1970s, Congress codified such changes, giving the USTR “primary responsibility” for developing and coordinating implementation of U.S. international trade policy. Additionally, the Representative is statutorily designated as the President's "principal advisor" on trade as well as the "chief representative of the United States" in trade negotiations. That directive theoretically cleared the way for a more streamlined and consistent trade posture. Cyber may now require a similar move.

Congress should amplify the “positional authority” of the Director, as recommended by the Cyberspace Solarium Commission. It could start by further clarifying ONCD’s coordinating role--leaning on the language employed to solidify the USTR. It could amend the National Cyber Director Act to provide that the Director has “primary responsibility” within the Executive Office of the President for developing, coordinating, and assessing implementation of national cyber strategy and has the “lead responsibility” for devising and executing the United States’ response to emerging cyber risks. Additionally, Congress could authorize the office to make sure agency-specific regulations are not at odds with the nation’s cyber posture nor inconsistent with one another. These steps to bolster the Director’s authority may quash turf wars when the nation needs a clear path forward on timely cyber issues.

Finally, Congress ought to provide the ONCD with greater authority to act on the nation's cyber strategy. The Cyberspace Solarium Commission also flagged this as one of its core policy recommendations for the Trump administration and Congress. As it stands, the office lacks the authority to oversee cyber investments across the executive branch. The Cyberspace Solarium Commission warns that this lack of authority leaves "federal resources missing, fragmented or duplicative."

Those three steps would not guarantee better cyber policy. They would, however, reduce the odds that the next major AI-cyber decision is shaped by competing agency assessments, disharmonious regulations, and squabbles among department heads.

The Next Cyber Coordination Test

The federal government has spent more than two decades relearning the same lesson: cyber threats punish fragmented authority. AI will make that lesson harder to ignore. Models with stronger cyber capabilities will move faster than ordinary interagency processes, implicate public and private systems at once, and blur the lines among national security, financial stability, critical infrastructure, procurement, and innovation policy. The ONCD was created because Congress understood that the nation needed someone in the White House responsible for seeing across those lines. If the Director lacks the authority, access, staff, or process to perform that role, then the office risks becoming another well-intentioned experiment in a long history of incomplete cyber reforms. Congress can avoid adding to that history by bolstering the positional authority of the Director and authorizing the ONCD to more meaningfully direct the rest of the executive branch.