Published by The Lawfare Institute
in Cooperation With
The National Defense Authorization Act (NDAA) for fiscal 2021 created the Office of the National Cyber Director within the Executive Office of the President. The office will be headed by the United States’s first national cyber director (NCD) and is intended to lead the implementation of national cyber policy and strategy, with a focus on making rapid progress on domestic cybersecurity. The director will serve as the president’s senior adviser for cyber issues.
The creation of the Office of the National Cyber Director comes at a pivotal time in the development of the nation’s cybersecurity and on the heels of one of the most widespread cyber incidents ever inflicted on the country. The nation’s lead cyber agency, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security, continues to slowly mature into its crucial role. Still in the midst of the presidential transition, President Biden has begun to organize his staff at the White House, including with the creation of a deputy national security adviser for cyber and emerging technologies. While Biden has made it clear that cybersecurity will be a top priority for his administration—and the creation of the new deputy national security adviser is certainly indicative of this—many questions remain. The confluence of these developments and the creation of the Office of the National Cyber Director has led some observers in the administration, the private sector, and the media to pose questions about the nature and role of the new office. The NDAA provides clear descriptions of the office’s several mandates. But questions remain about the motivation for the creation of the office, its authorities and how it relates to other cyber-relevant roles within the White House.
The NCD provision in the NDAA stems from a recommendation by the Cyberspace Solarium Commission, a bipartisan, bicameral commission created by the 2019 NDAA and charged with crafting a new strategic vision for the United States in cyberspace. Here, we provide the commission staff’s answers to these questions in an effort to clarify the commission’s intent in recommending the creation of the Office of the National Cyber Director.
Was the creation of the national cyber director position motivated by the abolishment of the cybersecurity coordinator position in 2018?
Yes and no. Commentators have rightly noted that the creation of the NCD position was motivated partly by former National Security Adviser John Bolton’s abolishment of the cybersecurity coordinator position in 2018, but they tend to overestimate the part Bolton’s move played. Cyber policy experts have long called for a national-level, senior official in the White House to bring coherence and direction to cyber policy, strategy and operations. And Congress has demanded—and continues to demand—accountability and communication from the executive branch on cybersecurity issues. Despite substantial progress by federal departments and agencies, the U.S. government has lacked institutionalized leadership, coordination and a consistent advocate for the appropriate prioritization of cybersecurity in the White House.
To date, the existence of national cyber leadership has been a matter of executive branch policy, not an enduring legislative requirement. The prominence of the role has fluctuated across administrations, with some declining, at times, to fill the position at all. These changes have prevented the persistence and consistency needed to establish enduring policy and strategy. While these issues were cast in stark relief when the Trump administration abolished the position, the fundamental problem is more systemic and long term than any one administration’s actions.
More than anything, the legislative establishment of the position is an affirmative statement from Congress on the need for good governance and effective organization in cybersecurity. The NCD ensures the government’s focus on cybersecurity is a consistent and unified national priority, while also shielding it from bureaucratic turf battles or interest of the president. In this regard, the creation of the Office of the National Cyber Director is not dissimilar to the creation of the Office of Science and Technology Policy in 1976, which was motivated in part by President Nixon’s abolishment of the President’s Science Advisory Committee a few years prior. In both cases, Congress responded by cementing a national priority through its power to organize the executive branch, establishing new positions, and empowering them as best they could.
What will the NCD do?
The NCD role is designed to act as the president’s senior adviser on cybersecurity and associated emerging technology issues, except for Title 10 (offensive) and Title 50 (intelligence) cyber operations and programs. The NCD is intended to focus on implementing the national strategy and policies for cybersecurity, as defined by the National Security Council, and coordinating, supporting, and deconflicting whole-of-nation cybersecurity and defensive cyber efforts led by executive branch agencies and the private sector. The NCD is intended to connect, complement, and strengthen, rather than duplicate, existing organizations and processes. In general terms, the 2021 NDAA confers on the NCD the following functions:
- Advise the president. The NCD serves as the principal adviser to the president on cyber policy and strategy implementation relating to cyber defense, and engagement with industry and international partners.
- Advise the White House and U.S. government agencies. The NCD provides advice to the National Security Council (NSC), the Homeland Security Council, their staff, and relevant federal departments and agencies.
- Lead cyber policy and national cyber strategy implementation across agencies. The NCD assesses agency performance; reviews agency budgets in coordination with the Office of Management and Budget and the NSC; and recommends changes to agency policy, organization, and resources, to include changes to the Federal Information Security Management Act.
- Prepare plans for the federal government response to cyberattacks and cyber campaigns. The NCD develops integrated plans, processes, and playbooks that are interoperable across agencies. The NCD also leads departments and agencies in exercising and updating these plans, including coordination of offensive and defensive operations and integration with the private sector.
- Lead coordinated response to cyber attacks. The NCD leads preincident coordination and actual incident response by the federal government to cyberattacks and cyber campaigns of significant consequence. The NCD supports the deputy national security adviser for cyber and emerging technologies, who is responsible for coordinating the government’s overall response to an incident.
- Engage with the private sector and international partners. The NCD leads efforts to coordinate and consult with the private sector and international partners on cybersecurity and emerging technology issues in support of, and in coordination with, the rest of the federal government.
- Report to Congress. The NCD reports annually to Congress on cybersecurity issues facing the United States, providing a vehicle for congressional oversight of the overall process.
- Issue rules and regulations. The Office of the National Cyber Director promulgates rules and regulations as may be necessary to carry out the functions, powers, and duties vested in the director, an authority that is rare among White House offices. This will be in coordination with the Office of Management and Budget and the new deputy national security adviser for cyber and emerging technologies, who has the lead for developing strategy and policy on cyber and integrating it with the broader economic and national security strategies.
- Represent the president. The NCD acts as a senior representative on the behalf of the president in any forum, domestic or international, at the direction of the president.
Does the NCD have the authorities and powers necessary to be effective in the role?
No, not through legislation alone. Legislation confers the NCD with functions and responsibilities but few authorities independent of those already vested in the president. This was intentional. Congress, with few exceptions, takes a relatively light touch in dictating how presidents use their advisers—beyond organizing the Executive Office of the President. Importantly, the chief of staff and the national security adviser, the most empowered positions in the Executive Office of the President, derive their influence not from law but from convention and their proximity to the president.
Senate-confirmed positions in the White House like the NCD, such as the U.S. trade representative, the director of the Office of Management and Budget, and the director of the Office of Science and Technology Policy, straddle a unique line. The positions within the Executive Office of the President are extensions of the president but as separate, Senate-confirmed office-holders with responsibilities and authorities conferred by Congress, they are accountable officials in their own right. Despite these positions being given responsibility by Congress, their effectiveness and ultimate authority beyond what is prescribed in law hinges on their proximity to—and the confidence of—the president they serve. This rings particularly true in the ability of any of these positions to influence policy. The NCD is no exception.
Much of the exact powers and influence of the NCD will need to be defined through executive orders and, over time, convention. This will need to be a priority for the Biden administration, which will need to update existing executive orders such as Presidential Policy Directive-41 (PPD-41), to account for the position and define its role in national security policymaking, budget review, operational coordination and rule-making. These executive orders will be essential in delegating the necessary authorities to make the position effective and consistent with congressional intent.
How will the NCD work with the National Security Council and the national security adviser?
The 2021 NDAA amended the National Security Act of 1947 to allow the NCD to be a participant in the NSC where cybersecurity issues are a substantial topic and to be included in the development of cyber policy, the National Cyber Strategy, and coordinating U.S. government defensive cyber efforts. However, the NCD serves on the NSC Principals Committee at the president’s discretion, much like the director of national intelligence or the chairman of the Joint Chiefs of Staff. The Biden administration affirmed this status for the NCD in the recently released National Security Memorandum-2 (NSM-2), which renewed and organized the National Security Council system.
The national security adviser is the principal adviser to the president on national security issues, of which cybersecurity is one. As such, national security policy and strategy, including the development of the national cyber strategy and many national cyber policies, will continue to flow through the national security adviser. In this regard, the Biden administration’s decision to create a new deputy national security adviser for cyber and emerging technologies is particularly meaningful. This position will lead the development of a national cyber strategy for the national security adviser and the president, and the NCD should provide advice on the formulation of the strategy.
The NCD will also need to work closely with the deputy national security adviser for cyber and emerging technologies on the development of cyber policy, as each will have a role in developing policies. In this regard the NCD is intended to play a critical role in working with federal departments and agencies on developing and implementing policies and strategies to make the NSC’s strategic vision a reality.
What role will the NCD have in operational coordination?
The NCD position was established to lead the coordination of integrated response by federal departments and agencies against cyberattacks and cyber campaigns of significant consequence, and to ensure coordination with the private sector in these responses. The NCD’s efforts should include significant preplanning before an incident such as plan and “playbook” development and cross-sector exercises. In this responsibility, the NCD will work across government and the private sector to define priority, risk-based scenarios by which to guide and direct interagency planning efforts. These plans, regularly exercised, will serve to prepare both public- and private-sector partners to shift seamlessly to response and recovery efforts when a major cyber incident occurs. These efforts will no doubt help enable the NCD to serve a critical leadership role in coordinating initial incident response efforts, a chaotic period where visible leadership, clear communication, and a concrete plan-of-action do much to instill order and credibility. This vantage point will also serve to inform the NCD on key areas of critical infrastructure where additional attention is warranted for long-term cyber resilience.
To facilitate this role, the NCD is intended to play a leading role in the Cyber Response Group, the current NSC-led, interagency body authorized under PPD-41. The Cyber Response Group coordinates, plans, and oversees U.S. government responses to cyber incidents and malicious cyber campaigns. Before the position was abolished, the NSC’s cybersecurity coordinator was charged with leading the Cyber Response Group. It was the original intent of the NCD legislation for the president to update PPD-41 and give management of the Cyber Response Group to the NCD. However, given the Biden administration’s creation of the new deputy national security adviser for cyber and emerging technologies, it is far more likely the NCD will share responsibility for this interagency body. In any case, given the necessary interplay of offensive and defensive efforts, the NCD and the deputy national security adviser for cyber and emerging technologies will need to work closely together, both inside and outside the Cyber Response Group, to ensure a consistent and comprehensive approach to U.S. actions in cyberspace.
What is the NCD’s role in Title 10 and Title 50 operations?
The NCD will have no role in coordinating Title 10 (offensive) and Title 50 (intelligence) operations. That said, the NCD is intended to have visibility into these operations. Given the NCD’s roles in organizing, planning, and coordinating defensive cyber operations and as a representative of the U.S. government in international forums, he or she should at least be aware of any operation that could inadvertently cause retaliation and, to the degree the director is able, preemptively prepare for it. That said, the degree that the NCD will be allowed to weigh in—and at what level—in the planning and coordination process is at the discretion of the president.
Because the president has established the NCD’s position on the NSC Principals Committee, the NCD will likely have some voice on operations if and when they rise to that level of decision-making. Given this, it would be shrewd on the part of the national security adviser to include the NCD or his or her staff early in any decision-making process that would eventually come before the NCD in a Principals Committee meeting to which the director is a part.
What is the NCD’s relationship with the director of CISA? What is the relationship with other departments and agencies?
The NCD is intended to connect, complement, and strengthen, not duplicate, the existing work of departments and agencies. CISA is no exception. CISA will maintain responsibility for the coordination of U.S. government-wide cybersecurity and defense efforts at the operational level; the NCD will focus on the strategic level, namely in the development and implementation of plans, programs and strategy. While CISA has well-established responsibilities, programs, and processes to lead the overall U.S. government-wide cybersecurity effort, the agency is limited in its ability to cajole or persuade other departments and agencies to participate and follow suit—particularly when parochial agency interests run counter to greater integration. Department and agency priorities, policies, programs, and, most importantly, budgets can diverge markedly from CISA’s vision and its conception of a well-coordinated U.S. government effort. The NCD in this capacity will be a useful ally for CISA in ensuring that the agency’s central role in cybersecurity is reinforced and made manifest through programs and execution.
The NCD will also need to manage the varying interests of the interagency, a more perilous balancing act that requires compromise between long-term vision and department and agency priority. National-level strategy and policy implementation in cybersecurity are complex endeavors, one where tension often exists between White House-led top-down design and bottom-up department and agency defense of bureaucratic self-interest. After all, policy and strategy development proceeds by consensus before reaching the president’s desk, and Cabinet members are not inclined to consent to any measure that promises to reduce their role or their organization’s room to maneuver. That said, as part of the president’s ostensible “inner circle,” the NCD position was designed to have sufficient proximity to the president to define a long-term strategy, weigh its trade-offs with bureaucratic interests, and ensure its successful implementation. Managing this tension and navigating the push-and-pull relationship between department and agency principals will be a key factor in the director’s ultimate effectiveness.
What will be the NCD’s role in engagement with the private sector?
In the 2021 NDAA, the NCD is given nominal responsibility for leading coordination and consultation with the private sector on cybersecurity and emerging technology issues. What this looks like in practice, however, is complicated. Even with a full office of 75 personnel, the NCD will lack the bureaucratic strength and existing private-sector relationships to manage or run a full-fledged industry engagement process. Nor would such a thing be desirable. The U.S. government maintains a number of fora for industry engagement on cybersecurity, including those led by the Department of Homeland Security (through CISA) and the Department of Commerce (through the National Institute of Standards and Technology, for example). Adding another player to compete with these efforts, rather than coordinate them, would only further stoke industry frustration and run counter to the type of government integration the NCD is intended to produce. The NCD has a critical role here in establishing the broad elements of national strategy, supporting lines of effort, and, in turn, supporting, enabling, coordinating, and deconflicting department and agency cyber engagements as they execute their roles within that strategy. The national cyber strategy should account for the need to coordinate and bring coherence to U.S. government engagement with the private sector writ large.
That said, the NCD will need to engage directly with the private sector on national-level cyber policy implementation and development of responses to and recovery from cyber incidents. This is a critical piece of why the NCD position was created—to ensure there is a reliable, senior-level official who can, on behalf of the entire U.S. government, act as both a voice and a touchpoint on cyber issues for the public, industry, Congress or otherwise. In this, the NCD will complement, not replace, private-sector engagement led by CISA. CISA, as the executive agent for the Critical Infrastructure Partnership Advisory Council, manages the U.S. government process for cybersecurity and infrastructure security engagement with the private sector. This process runs through sector coordinating councils, which are jointly led by CISA and the relevant department or agency (called the Sector Risk Management Agency) for each of the 16 critical infrastructure sectors. The NCD was designed to lead the implementation of national-level defensive policy and strategy, allowing CISA to focus on plans, operational collaboration, and more tactical and technical issues. Where those issues overlap or merge, the NCD would be well served to leverage the established processes CISA already has in place. In any case, communication and close coordination between the director of CISA and the NCD will be a necessary reality of both positions.
What is the NCD’s role in international engagement?
It is expected that the NCD, in coordination with the national security adviser and the national economic adviser as appropriate, would participate in meetings with international partners on topics of cybersecurity and emerging technologies to implement the National Cyber Strategy and advance the president’s international priorities. The NCD would be expected to coordinate closely with relevant offices within the State Department when participating in international cyber and cybersecurity-related initiatives, international agreements, standards-setting bodies, and capacity-building efforts. The NCD will be included as a participant in preparations for the execution of cybersecurity summits and other international meetings at which cybersecurity or related emerging technologies are a major topic.
Is the NCD subject to Freedom of Information Act requests? Will this impede the director’s ability to do his or her job as an adviser to the president and coordinator on cybersecurity?
Broadly speaking, yes, the NCD is subject to Freedom of Information Act (FOIA) requests. Andrew Grotto brings up a good point that the new Office of the National Cyber Director will not benefit from FOIA exemptions afforded to the NSC. This is, in broad strokes, accurate, but the framing is misleading. The NSC is not exempted from FOIA by statute, but, as Grotto points out, through a Supreme Court decision. “Because the NSC operates in close proximity to the President … and because the NSC does not exercise substantial independent authority[,]” the Supreme Court concluded that the NSC is not an “agency” for the purposes of FOIA and thus not subject to its requirements. Rightly or wrongly (and the late Justice Ruth Bader Ginsburg wrote a compelling dissent), the same argument could be equally applied to the NCD, who, as noted above, does not enjoy substantial independent authority beyond that delegated by or derived from his or her proximity to the president. Still, it is worth acknowledging that the Office of Science and Technology Policy, the Office of the U.S. Trade Representative, and the Office of National Drug Control Policy—arguably more similar to the Office of the National Cyber Director than the NSC for reasons covered below—are not exempt from FOIA requirements.
It is reasonable to expect that much of the NCD’s work will be exempt from FOIA under one of the law’s nine categories of exemptions. Exemption 1 covers information classified to protect national security. Exemption 4 covers trade secrets or commercial or financial information—a pertinent exemption given the NCD’s expected role in liaising with the private sector. Finally, and most importantly, exemption 5 covers privileged communications between agencies or deliberative, pre-decisional documents. According to the Department of Homeland Security, this “[p]rotects the integrity of the deliberative or policy-making processes within the agency by exempting from mandatory disclosure opinion, conclusions, and recommendations included within inter-agency or intra-agency memoranda or letters.” It is difficult to imagine a scenario in which much of the NCD’s substantive work wouldn’t qualify under this exemption and its subset of executive privilege. The concerns over FOIA undermining the integrity and confidentiality of the president’s deliberative process are overblown. This should not impede the director’s ability to do his or her job.
Does being Senate confirmed impede the NCD’s ability to do his or her job as an adviser to the president and coordinator on cybersecurity?
Andrew Grotto points out rightly that “Senate and House oversight committees consider it a matter of institutional right to have Senate-confirmed officials appear before them.” And it should be expected that the NCD will be called upon routinely to testify before the House and the Senate. It’s worth noting, however, that NSC deliberations include Senate-confirmed positions at the assistant secretary, deputy secretary, undersecretary, and secretary levels at successive stages of the policy process. The same logic of concern that is leveled at the NCD could be applied equally to these positions, which are similarly beholden to Congress. But does the president keep the secretary of defense at arm’s length because he or she can be called to testify before Congress? No. Executive privilege would almost certainly apply.
Does this put the NCD in an uncomfortable position between Congress, which desires to know more, and the president, who prefers to keep deliberations confidential? Certainly. But no more than it does the director of the Office of Management and Budget, the U.S. trade representative, the director of the Office of Science and Technology Policy, or the director of the Office of National Drug Control Policy. Each of these positions is both Senate confirmed and appointed in the Executive Office of the President. Each is involved, in various degrees, with national security decision-making. And each invokes executive privilege where appropriate and where applicable. It is a space the White House knows how to navigate well.
Will the NCD position require changes?
The NCD was never intended to spring fully formed from the minds of the multi-stakeholder commission that recommended it or the Congress and the pages of statute that gave birth to it. It will take time and considerable effort to find its way among the dynamic environment of the White House and the fray of the interagency. The creation of the deputy national security adviser for cyber and emerging technologies is a positive development and will need to be accounted for. The NCD is not and likely will not remain static. The president holds preeminence in delegating authority to the position through executive order. And Congress maintains its prerogative to empower the position further and in response to, and support of, how the president manages the position. It is an iterative dynamic that will lend itself well to evolving needs of cybersecurity and the demands of the office.
But the fundamental argument for the establishment of the position remains the same: The U.S. government needs vision, leadership, and unity of effort in cyberspace. This is true irrespective of political party or administration—though the Biden administration is off to a good start. That said, the definition of insanity is doing the same thing over and over again and expecting a different outcome. The NCD position changes the institutional dynamic and is a marked step forward in ensuring enduring leadership and accountability. It will need to evolve, certainly, but as it stands the position is a good start. It is up to the Biden administration to make it successful.