National cyber director role in the spotlight after SolarWinds hack
The compromise of at least seven federal agencies through the SolarWinds hack has technology experts stressing the importance of a national cyber director (NCD) role within the incoming Biden administration.
President-elect Joe Biden is expected to appoint the first-ever NCD, a position the National Defense Authorization Act of 2021 will create, after taking office Jan. 20.
The role could prove instrumental in preparing for future emergencies like the one at SolarWinds — one of the most serious incidents of digital espionage in U.S. history — by ensuring more even implementation of the National Cyber Strategy across departments, experts say.
“An NCD doesn’t guarantee you don’t have a cyber hack, either one that does damage or an espionage hack like this,” Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, told FedScoop. “However, what we think an NCD will do is significantly raise the overall readiness of the federal agencies in cybersecurity and ensure that there’s better public-private collaboration.”
The Cybersecurity Solarium Commission recommended the creation of an NCD in a March report and successfully pushed for its inclusion in this year’s NDAA, well before the SolarWinds hack, which has been tied to Russia.
But a “drastic” gap remains between the Department of Defense and intelligence community’s (IC) cyberdefenses and the more static defenses of civilian agencies, said Montgomery, who serves as executive director of the Solarium Commission when it’s active. As a Cabinet-level official, the NCD could help close that gap by advocating the Cybersecurity and Infrastructure Security Agency receive sufficient resources for securing .gov IT infrastructure.
First the NCD must build relationships inside the White House with the National Security Council, National Economic Council, Office of Science and Technology Policy, and Office of Management and Budget, before turning to Cabinet and agency heads. Then comes defensive cybersecurity campaign planning, Montgomery said.
Effectively integrating defensive cyber-capabilities within agencies to protect against another SolarWinds-style hack will require the NCD to improve coordination with industry — ideally by spearheading a national cyber research and development strategy, multiple experts say.
“I think the NCD position could, in fact, act to catalyze that strategy,” said Samuel Visner, a tech fellow at MITRE, in an interview. “They’d be in a good position to work cooperatively with the White House OSTP, but they would also be in a position — not only to reach out to industry and academia — but to help modulate the programs and budgets of the various agencies that have cyber research and development resources.”
A smarter supply chain
The NCD’s “whole-of-nation” strategy could create a community of practice with government, industry and academic representatives to address pressing challenges, Visner said.
Government further lacks a supply chain strategy for information and communication technologies like those exploited by the Russian hacking group APT29, or Cozy Bear, in the SolarWinds hack. To date, parts of the departments of Commerce, Defense, Energy, Health and Human Services, Homeland Security, State, and Treasury have reportedly been compromised as a result.
Within the Alliance for Digital Innovation‘s 2021 priorities for the Biden administration is a “smart supply chain” plan that the NCD could also implement. Current government supply chain efforts are “dispersed and poorly coordinated,” hindering agencies’ abilities to defend against nation-state actors, secure government data and protect intellectual property, according to the association of commercial companies.
Industry wants a better understanding of which agencies are in charge and who they should share their information with because several have set up centers of supply chain analysis, said Matthew Cornelius, executive director of ADI, in an interview.
Congress created the Federal Acquisition Security Council in 2018, and there’s also the National Risk Management Center within the Department of Homeland Security. And DOD, the Department of Commerce and the IC have robust efforts underway as well.
Making sense of the field starts with the NCD stepping in to coordinate information sharing.
“If they can iron out some of the inconsistencies and some of the fiefdoms that we have in supply chain right now and work to deliver a cohesive strategy, it will make it easier for the government and industry to work together,” Cornelius said.
Individual agencies’ efforts might not need to be halted, but they definitely shouldn’t be working at cross purposes, Montgomery said.
Including the NCD as a provision in the NDAA was actually the suggestion of the Solarium Commission. The public-private commission has floated the names of several of its members as potential national cyber director candidates, but the Biden transition team has so far stayed silent on potential appointees.
Someone with a mix of government, private sector and IC experience, who also has “sharp elbows,” would be helpful, Montgomery said.
“They have to be able to win bureaucratic battles with Type-A Cabinet members because in the end even after SolarWinds — give it three months to die down; it happened on my predecessor’s watch — there are going to be Cabinet members who, when the time comes to make the hard budget cut, cybersecurity will get cut because it’s not a primary mission of the department or agency,” Montgomery said.
Regardless of who ultimately lands the role, its filling has become all the more important in the wake of the SolarWinds hack.
“While we are confident that our federal cybersecurity leaders are doing all they can to mitigate any impact of this active exploitation, there is no question that a consistent, unified approach is necessary to rid federal networks of any of its remnants,” said Rep. Dutch Ruppersberger, D-Md., by email. “This is why I, along with my colleagues in Congress, have supported the creation of a national cyber director.”