Published by The Lawfare Institute
in Cooperation With
Over the new year, Congress overrode President Trump’s veto to enact into law the National Defense Authorization Act (NDAA) for fiscal 2021—an annual piece of legislation that lays out the budget, expenditures and policies of the Pentagon for the upcoming year. This year’s NDAA also contains numerous cyber-related provisions, among them § 1752, which establishes a new Office of the National Cyber Director (ONCD) within the Executive Office of the President (EOP). The head of the ONCD, the national cyber director (NCD), is subject to Senate confirmation and is tasked with serving as “the principal advisor to the President on cybersecurity policy and strategy relating to the coordination of” defensive strategies for federal and critical infrastructure organizations, incident response, diplomatic initiatives relating to cybersecurity, efforts to deter adversaries and industry engagement. The NCD will lead a sizable office of up to 75 staff.
The legislation implements one of the signature recommendations of the Cyberspace Solarium Commission, which Congress established in 2019 to develop a strategic approach to combating future cyberattacks. The commission proposed the national cyber director concept as a remedy for what it assessed to be insufficient institutionalization of policymaking around cyber strategy and a lack of interagency coordination. Having a Senate-confirmed NCD will also give Congress, as commission co-chair Sen. Angus King has quipped, “one throat to choke” on cyber issues.
It will fall on the incoming Biden administration to implement the new office and send the first nomination for national cyber director to the Senate. Much hard work lies ahead. The administration will have to create a new organization within the EOP, itself no easy task. And it will also need to immediately address what is clearly among the most damaging cybersecurity breaches in American history—a major hack of SolarWinds software perpetrated by Russia affecting hundreds of victims in the federal government and the private sector.
The history of so-called “czars”—officials appointed by the president to serve coordinating roles on various matters of policy—is instructive. On the one hand, the legislation avoids several pitfalls that have limited the legitimacy and effectiveness of other czars: The national cyber director is subject to Senate confirmation, for example, and the law authorizes a substantial ONCD staff. Congress also authorized the director to “promulgate such rules and regulations as may be necessary to carry out the functions, powers, and duties vested in the Director” [§ 1752(e)(3)]. This is a potentially powerful tool, and one that the ONCD’s peer policy coordination organizations within the EOP do not have.
On the other hand, research by scholars of the presidency suggests that at least four additional factors contribute to the success of a policy czar: clarity of mission, expertise, a high-profile problem or task to tackle from day one, and insider access to the president and his senior leadership team. As I argue below, the legislation puts the burden for satisfying these key factors on the president. Despite its robust legislative mandate, the national cyber director concept is not self-executing.
Specifically, President Biden and his leadership team will need to clarify the ONCD’s mission, especially its relationship to the National Security Council (NSC); recruit as national cyber director someone capable of navigating complex policy and bureaucratic landscapes; pick a suitable problem for the director to tackle from the start, such as the SolarWinds hack; and give the NCD direct access to the president.
Clarity of Mission
As history shows, White House policy czars fizzle out when their missions are not crystal clear. One particularly high-profile case is that of Kristine Gebbie, President Clinton’s chief AIDS policy officer. Tasked with ensuring policy coordination between agencies, she was ultimately stuck in a position with, in her words, “almost nothing written down about what it should be,” disappointing many who had high expectations for her appointment and eventually leading to her resignation.
The statutory language for the national cyber director role leaves the president with considerable discretion to define the director’s scope of duties and responsibilities, which are “[s]ubject to the authority, direction, and control of the President.” Biden and his successors should mold the mission of the ONCD to fit their preferred structure for White House policymaking and coordination. Preferably, this would take the form of an executive order or a presidential policy directive that defines ONCD’s mission and its relationships with other EOP organizations, especially the National Security Council.
The NDAA has a written list of responsibilities for the national cyber director, which at first glance appears both specific and vast. The director will:
- [S]erve as the principal advisor to the President on cybersecurity policy and strategy relating to the coordination of [cyber defense, cyber-related diplomacy, understanding and deterring malicious cyber actors, and engaging with industry, among others] [§ 1752(A)]
- [O]ffer advice and consultation to the National Security Council and its staff, the Homeland Security Council and its staff, and relevant Federal departments and agencies, for their consideration relating to the development and coordination of national cyber policy and strategy, including the National Cyber Strategy [§ 1752(B)]
- [L]ead the coordination of implementation of national cyber policy and strategy [§ 1752(C)]
- [L]ead coordination of the development and ensuring implementation by the Federal Government of integrated incident response to cyberattacks and cyber campaigns of significant consequence [§ 1752(D)]
- [P]repar[e] the response by the Federal Government to cyberattacks and cyber campaigns of significant consequence [§ 1752(E)]
- [C]oordinate and consult with private sector leaders on cybersecurity and emerging technology issues in support of, and in coordination with [interagency partners] [§ 1752(F)]
- [A]nnually report to Congress on cybersecurity threats and issues facing the United States [§ 1752(G)]
- [O]ther functions as the President may direct [§ 1752(H)]
The legislation does not assign the national cyber director any operational responsibilities. Policy implementation will continue to be conducted by agencies, consistent with their statutory mandates. Nor does the legislation give the director any authority to make agencies do anything: The NCD can “advise,” “review,” “facilitate,” “offer consultation,” “assess,” “monitor,” and “coordinate,” but not direct, command or require. The National Security Council has traditionally operated under similar constraints, so these caveats—while important to understanding the scope of the NCD’s mandate—are not unique to the new position.
The legislation also does not envision a prominent role for the national cyber director in the development of offensive cyber operations. Instead, it directs the NCD to “support … the integration of defensive cyber plans and capabilities with offensive cyber plans and capabilities” as part of the ONCD’s mission to coordinate the response to major cyber incidents. This is a subtle but potentially significant limitation on the scope of the NCD’s potential responsibilities, because it implies that the director cannot point to statutory language as justification for participating in strategic planning and doctrine development for offensive cyber operations outside the context of responding to cyber incidents.
Presumably, Congress expects the National Security Council to continue to coordinate offensive cyber policy. Most of the statutory functions listed above, however, duplicate the other cyber policy coordination functions that in previous administrations had been wielded by the NSC—especially the Cyber Directorate, where I served as a senior director in the Obama and Trump administrations, as well as the federal information technology policy coordination functions split between the NSC and the Office of Management and Budget (OMB). The latter is home to the Federal Chief Information Security Office, the most recent leader of which was dual-hatted as an NSC senior director. The Biden transition has already announced that Anne Neuberger, a highly respected senior career civilian employee of the National Security Agency, will serve on the NSC staff as deputy national security adviser for cyber and emerging technology.
While the legislation is arguably specific as to the outer limits of the national cyber director’s responsibilities, challenges may arise from how the legislation would have the director wrest policy coordination functions from other organizations within the EOP. Who will coordinate the coordinators?
Unlike the National Security Council, which has a formal interagency policy process defined in presidential policy directives and its own executive secretary for managing communications and documents, Congress chose not to create a native, NCD-led interagency policy process for the ONCD. Instead, Congress has given the president discretion to decide how best to organize the ONCD’s policy process and sync it with other White House-led policy processes. This discretion extends to participation in NSC deliberations: The law makes the NCD a discretionary, not statutorily required, member of the NSC and allows the president to decide whether and when to invite the NCD to participate in NSC meetings. Section 1752(B) of the legislation also envisions the NCD advising the NSC and the Homeland Security Council (HSC)—which is statutorily distinct from the NSC but practically integrated into it—on cyber strategy.
This National Security Council advisory role implies that Congress envisions a continued role for the NSC in coordinating cyber policy, beyond just offensive cyber operations. The statute is otherwise vague on the relationship between the ONCD’s mission and the NSC’s mission. Cyber policy is inextricably linked to national security, foreign policy and homeland security—policy domains that historically have fallen under the coordination remit of the NSC. There are few “pure” cyber problems; a great many of the hardest problems are “cyber and ...” problems: cyber and Russia, cyber and China, cyber and trade policy, cyber and regulatory policy for critical infrastructure, cyber and covert action, cyber and military operations—the list could go on. Cyber policy should and must remain a core part of the NSC’s policy coordination remit.
Given how inseparable cyber policy is from broader national security strategy, one attractive option could be to integrate the ONCD or even just the national cyber director into the NSC structure, akin to how the NSC has essentially absorbed the statutorily distinct HSC. The NCD and his or her team could be dual-hatted as NSC staff and integrated into the NSC process, including its powerful executive secretary infrastructure. There is precedent for this approach beyond the HSC: The NSC International Economics Directorate, for example, has been led in the past by a dual-hatted National Economic Council official (current national security adviser Robert C. O’Brien shuttered the NSC office in 2019). The executive secretary infrastructure is foundational to the NSC’s robust role in developing, coordinating and overseeing the implementation of policy. It is used to edit, disseminate and track sensitive national security-related correspondence and memos for the president and Cabinet, as well as to organize, manage and document the outcomes of NSC deliberations.
One of the key features of the national cyber director role has the potential to be a bug for the White House, however. The NCD is subject to Senate confirmation. Senate and House oversight committees consider it a matter of institutional right to have Senate-confirmed officials appear before them upon their request for a good throat-choking, to paraphrase King. NSC officials, in contrast, have no duties or obligations in this regard, and have limited direct contact with Congress. The president and his leadership team would have to assume that Congress has legitimate expectations that the NCD would comply with requests to appear before committees under oath. In addition, the law does not exempt the NCD from the Freedom of Information Act (FOIA); the NSC is not subject to FOIA, following the 1996 decision by the U.S. Court of Appeals for the D.C. Circuit in Armstrong v. Executive Office of the President.
Alternatively, the president could establish the ONCD as a separate and distinct EOP organization, akin to the offices of the U.S. trade representative or the intellectual property enforcement coordinator. The national cyber director and his or her designees could participate in NSC deliberations, in the same way that agencies and other EOP components do, but the NCD would have a leadership role coordinating cyber policies that the president decides fall within the ONCD’s mission space. This would prevent congressional oversight from creeping into NSC deliberations, but at the expense of the NCD losing first-party access to the powerful policy process infrastructure wielded by the NSC. The president’s vision for the ONCD’s mission would also have to be spelled out with particular clarity to ensure that the ONCD’s and NSC’s cyber-related coordination activities are aligned and synced.
Both approaches have merit, depending on how the president wants to use the ONCD. And neither approach need be fixed in stone: The president could decide to launch the office pursuant to one of the approaches and change approach if warranted as the NCD’s role matures or circumstances change. Either way, the president will need to define the ONCD’s mission with clarity, especially regarding its relationship with the NSC.
The most successful policy czars tend to possess not only policy chops but also political management skills. They know how to lead people, cultivate allies and operate successfully within the matrixed management environments at the upper echelons of the federal enterprise. Policy czars also need to know something about the subject matter they have been tasked to coordinate, which will be important as a source of their legitimacy within the policy communities they will be part of. These problems affected John Negroponte’s tenure as the first czar for intelligence coordination, the director of national intelligence, as Justin S. Vaughn and José D. Villalobos document in their book on policy czars.
Policy chops alone, however, are not enough. Vaughn and Villalobos point to Jerome Jaffe’s tenure as drug czar during the Nixon administration as an example of a czar with impeccable credentials in the policy domain but limited political management experience. This ultimately hindered Jaffe’s ability to steer the Nixon administration’s drug policy priorities.
An argument can be made that the more important of the two skill sets is political management. Incoming White House Chief of Staff Ron Klain succeeded as President Obama’s Ebola czar because of his track record and reputation for knowing how to get things done within government—even though he had no significant public health experience prior to being tapped to coordinate the U.S. government’s response to the disease. His political management skills enabled him to lead a team of experts and marshall their expertise in a coordinated manner.
As if cyber policy were not already multifaceted enough, the institutional environment for cyber policy coordination and implementation is also complex. Add to that the imperative of forging a seamless relationship with the National Security Council. These factors strongly suggest that the national cyber director should have not only substantial experience in cyber policy but also high-end political management skills.
Tackling High-Profile Problems
As Klain’s example suggests, moments of crisis can contribute to the success of czars. Crises can stimulate an “all hands on deck” mentality that effective leaders can use to mobilize legitimacy and resources—which may be in short supply, especially for freshly appointed policy czars. Crises also often have the character of presenting as a discrete problem, or at least a problem with more or less definable boundaries. At some point, the crisis will pass, and there will be a product or an outcome from the response.
By any measure, the SolarWinds hack is a crisis. Though it will take months, perhaps years, to understand the full extent of the damage, it is clear that a hostile actor—most likely the Russian government—carried out what is known as a “supply chain” attack to infiltrate the systems of the software company Orion, plant malicious code in its popular enterprise network management product called SolarWinds, and ride the software update process to hundreds of victims in the federal government and private sector.
The hack raises a laundry list of questions, ranging from tactical questions about what to do now to strategic questions about how to prevent something like this from happening in the future. To name just a few: Why did the intelligence community miss this operation? Was the federal government’s procurement process for the software appropriately focused on cybersecurity risks of the product, and are changes to the process needed to reduce the chances that something like this happens again? Similarly, were there any lapses in the federal government’s risk management processes for cybersecurity that contributed to the government’s exposure? Now that the hack is exposed, what should the federal government do to remediate its systems and networks? What should the government’s response to Russia be, and how can the government reinforce its deterrence posture in light of this incident? How exposed is critical infrastructure, and what should the government do to support critical infrastructure resilience following this incident? To what extent was Orion culpable for the hack, and did negligence on its part contribute to Russia’s ability to compromise SolarWinds? What regulatory or legislative reforms are needed, if any, to ensure that software vendors bear their fair share of the costs of cybersecurity shortcomings in their products? What lessons can we draw from this experience about supply chain risks, including the comparative risks of foreign versus domestic ownership?
Biden could assign lead responsibility for responding to the hack to the national cyber director, with the expectation that the director manage the immediate, tactical elements of the response and lead a strategic process to distill lessons learned from the incident and identify policy options and priorities, with a report due to the president after 180 days. This would enable the director to engage counterparts across the government, forge relationships with stakeholders and the broader policy community, map the political economy to identify allies and potential adversaries, and establish his or her legitimacy. EOP elements such as the National Security Council and the Office of Management and Budget would have to play key roles in the process, but having the national cyber director as the point person would free up NSC and OMB bandwidth to facilitate the presidential transition and focus on other presidential priorities.
Having the national cyber director both tackle the immediate tactical elements of the response and lead a strategic process would require the director to be nominated and confirmed by the Senate early in the new administration. The Biden administration must address the hack immediately upon taking office on Jan. 20, so if the nomination and Senate confirmation process take weeks or months to conclude, the NCD could, upon confirmation, focus primarily on the strategic process if the tactical elements of the response are already in place.
As the Trump administration has demonstrated, your ability to influence the president doesn’t necessarily depend on what formal title or job description you have. Yet even in administrations less erratic than the current one, access has been a key determinant for efficacy. There is nothing quite like having to regularly brief the president on the progress of an initiative as a means of driving action. Skilled political managers can use the access to solicit guidance, get decisions made and take the political temperature of their performance. Access to the president along these lines will also serve to build and preserve legitimacy and thus make the national cyber director a more effective and credible advocate and leader for the president’s priorities. Finally, the NCD can use meetings with the president as a forcing function for his or her staff, colleagues and peers to deliver on promised support.
The Bottom Line
The national cyber director concept is the law of the land, and Congress has a legitimate expectation that the Biden administration will implement it. As described above, however, the law gives the president considerable discretion in how to implement the position. Given the overlap between the NCD’s possible duties as laid out in the NDAA and the traditional responsibilities of the National Security Council and the Office of Management and Budget, the administration will want to ensure that the relationship among these Executive Office of the President elements is seamless and mutually reinforcing.