As a now thirty-three-year veteran of the cybersecurity industry, having served in a variety of senior roles supporting industry, academia, and government, I was surprised to learn that Mr. Rob Joyce was stepping down from his important role as the US Cybersecurity Coordinator. I was especially surprised, perhaps alarmed, to hear this week that Mr. John Bolton is seriously considering not refilling the position. I’d like to summarize my concerns and suggestions.
First, recognize that the popular nickname for this position, US Cyber Czar, could not be more misleading. The position, established in 2009 by President Obama, was intended not to dictate, but rather to coordinate the cybersecurity interests across the federal government, as well as to communicate with industry. The first person to fill this role, Mr. Howard Schmidt, served ably, and created a basis for refinement of the position through subsequent Administrations.
Each branch of our Federal Government views cybersecurity from a different perspective. The Department of Defense, for example, views things from a worst-case scenario lens, always directing their activities toward avoidance of the most serious cyber dangers. The Department of Homeland Security, Department of Commerce, Department of Justice, Secret Service, and other agencies, in contrast, view cybersecurity from a different lens – as you would expect.
As mentioned above, the US Cybersecurity Coordinator is tasked with just what the name implies – coordinating the views of government and industry into a coherent position and strategy. Sometimes, this task can be accomplished by getting the right people together into one room to establish common grounds. Other times, it requires the skills of an expert politician to cajole various groups together into a common set of protection initiatives.
Take the important challenge of US national election cybersecurity. Mr. Joyce explained to me shortly after taking the position that this was one of his priorities – and this made all the sense in the world. Few issues require the collage of coordinated initiatives, capabilities, and intelligence of our entire government – not to mention industry and academia, as protecting our elections. With no US Cybersecurity Coordinator, this task becomes a dangling loose end.
The component of this position that involves serving as a personal liaison to industry cannot be underscored in its importance. Recognize that when dealing with an official government agency, industry cybersecurity experts are often hamstrung by stilted processes and sharing constraints. Each of the men serving in this role, including Mr. Michael Daniel who took over from Mr. Schmidt in 2012, were effective at short-circuiting this challenge to get things done.
My advice to Mr. Bolton is to not abolish the position. It would make more sense instead for our country to have him work to improve the position. As a formal role with less than a decade in existence, of course it has had its challenges, and of course it requires refinement. To that end, I believe there are three specific areas where the position could be easily improved to align with the President’s goals and to help safeguard our nation from cyber attack.
First, the Administration should define a crystal-clear set of specific tasks that the Cybersecurity Coordinator should seek to accomplish. It would be a simple process to identify meaningful cybersecurity tasks that the position could be directed to focus on in the coming months. I mentioned election security, but how about streamlining threat data flows between agencies? Or aligning our security awareness priorities? Or improving international cyber norms?
In an era where our President has been elected to focus our homeland protection efforts on immigration, which is certainly reasonable, we must nevertheless not forget how quickly cybersecurity issues can disrupt our nation’s progress. Experts will attest that cyber attacks represent the ultimate in asymmetric threats; that is, precious little resource and energy are required to create an enormous amount of negative consequence – quickly.
Second, the Administration should align the position more closely with coordinating effective public-private discussion and cooperation. This requires that proper sharing structures be established to ensure continued interaction, but also requires that the selected Cybersecurity Coordinator have the background to properly speak the language of industry. (Full disclosure: I was approached numerous times about this position, but never engaged – obviously.)
Recognize that unlike many of the responsibilities of our Federal Government, cybersecurity must deal with the challenge that most of our critical infrastructure is owned and operated by the private sector. As such, any national protection initiative must not only include participation from industrial leaders, but one could easily make the case that commercial protections must be viewed as the primary line of defense against most forms of large-scale cyber attack.
Third, the position should be designated to serve as the common public voice for the present Administration. While this might seem awkward under a President who speaks so openly and freely to the American public, cybersecurity topics can be technically complex, and having one voice that can explain clearly to the American public the consequences and recommended response to a given cyber event would be an asset to both Mr. Bolton and our President.
Consider, for example, that most Americans have no idea how they might help the present Administration in its cybersecurity objectives – and this is a shame, because common citizens can do so much to help us protect our nation. Basic security awareness on how to avoid becoming trapped into a foreign botnet, for example, allows out citizens to participate in protecting the country. The Cybersecurity Coordinator can help drive such good behavior.
The decision to abolish or maintain the position represents one of those watershed moments in our history that I suspect we will look back on in a decade with great interest. Should the position be terminated, my view is that we will connect it as a root cause to subsequent cyber confusion and chaos across our national infrastructure. On the other hand, should we improve the position, my guess is that it will come in handy many times over.
Edward Amoroso is currently CEO of TAG Cyber LLC, Distinguished Research Professor at NYU, Adjunct Professor at the Stevens Institute, and Senior Advisor at the Applied Physics Laboratory at Johns Hopkins University. He is former Senior Vice President and Chief Security Officer at AT&T, former member of the M&T Bank Board, and former member of the NSA Advisory Board.