Tension grows between Congress and the administration over how White House cyber policy should be run
Congress has been pressing for a greater role in overseeing how the administration conducts cyberpolicy, but the White House is wary of lawmakers exerting influence over a critical area of national security.
At issue is how the White House will respond to a new law requiring the creation of a national cyber director, intended to be the principal person advising the president on policy and strategy, and who, significantly, is subject to Senate confirmation and public hearings. It’s what the law’s co-author, Sen. Angus King (I-Maine), calls having “one throat to choke.”
But the White House does not appear eager to fill the job right away. It has launched a 60-day review — which some lawmakers regard as an unnecessary delay — to study how the job should be structured. A nominee is not imminent, according to people familiar with the matter, who spoke on the condition of anonymity to discuss internal deliberations.
Last month, before President Biden took office, his team announced a potential rival power center at the White House — a deputy national security adviser for cyber inside the National Security Council, who, like other NSC officials, does not undergo Senate confirmation and remains outside congressional oversight.
The Biden administration believes that cyberstrategy is best run out of the NSC but it now has to comply with the law passed in December and name the national cyber director, who sits outside the NSC. The White House could construct the new role narrowly, but the less power the director has, the less visibility Congress will have into the area, which was a major goal of the legislation.
“This is the most serious external threat to our country right now, as proven as recently as the SolarWinds hacks” of U.S. agencies and private companies, said King, co-chairman of the bipartisan Cyberspace Solarium Commission, whose recommendations prompted more than two dozen provisions that have become law, including the new director role. “Having a member of the administration appointed by the president, confirmed by the Senate, gives this person the scope and authority to oversee this very complex and critically important issue. . . . I just frankly don’t understand why it’s taken this long to name a nominee.”[Cyber Solarium Commission proposes actions to strengthen nation’s defenses against foreign threats]
The White House said in a statement that “it’s still early days, and we’re still getting a full understanding of what we’ve inherited from the previous administration’s failures on cyber, including SolarWinds and the erosion and sidelining of the NSC Cybersecurity Directorate.”
Standing up “a new federal entity is very complicated — and so we’re taking a look at how we can do this in a way that makes the most sense,” the statement said. The office of the national cyber director comes with a staff of up to 75, according to the law, but Congress has not yet given the White House the money to hire people.
In late November, as the bill was headed toward passage, Biden’s transition team sought to remove the requirement for Senate confirmation. They liked the idea of the position but were concerned about exposing the cyber director’s office to freedom of information requests and litigation, which would “make it more challenging” to interact closely with the NSC, said one person familiar with the matter.
But by then the bill, which was part of the annual defense authorization package, had been negotiated by both chambers. In December, after Congress overrode President Trump’s veto of the defense package over unrelated issues, it became law.
Congress created the position in part as a reaction to the Trump administration’s elimination of the cyber coordinator role in 2018, which angered lawmakers from both parties. They wanted to ensure the presence of a senior White House official to direct strategy and incident response for the government and with the private sector.
Legislators like King were adamant the job be Senate-confirmed. “If the NCD did not require Senate confirmation,” King said, “it would have neither the continuity nor the stature that I believe it needs to fulfill this critically important function.”
The job has its limits. It can coordinate the defense of civilian agencies and of the private sector. While it can have visibility into the military and intelligence agencies, unlike NSC officials, it can’t oversee coordination in those areas.
The Biden administration is fielding an experienced cyberpolicy team and “they want flexibility in how they structure” it, said a second person familiar with the matter. “They didn’t want Congress encroaching on what they see as essentially a White House prerogative. Look, running cyberpolicy from outside the National Security Council, creating a sort of ‘Shadow NSC’ for cyber, is not the most effective way to do it.”
Last month, Biden named Anne Neuberger as deputy national security adviser for cyber and emerging threats. A well-regarded former top official at the National Security Agency, Neuberger is a close confidante of national security adviser Jake Sullivan and NSA Director, Gen. Paul Nakasone.
Neuberger’s is arguably the most powerful White House cyber position ever. She has the authority to coordinate policy and operations across military, civilian and intelligence agencies, and that includes cyber-offense, a key part of the government’s capabilities. Significantly, she can call meetings of deputy secretaries on cyberpolicy and operational issues.
On Wednesday, in her first public remarks in her new job, Neuberger briefed the White House press corps on the SolarWinds investigation, saying its scope and scale made it more than an “isolated case of espionage.” She said she is briefing lawmakers and speaking with private sector partners.[SolarWinds compromised nine U.S. agencies and about 100 companies, top White House cyber officials says]
“The Biden administration has created the right position with the right reporting structure and filled it with the right person,” said Jamil Jaffer, executive director of the National Security Institute at George Mason University. “So at this point, what is the purpose and need for a national cyber director that creates a potentially competing role, with obligations to Congress and the president and who doesn’t have the necessary clout to do the job?”
Advocates point out, however, that the cyber director will have an advantage that neither Neuberger nor any past White House cyber czar or coordinator has had: the ability to review agencies’ budgets and make recommendations to the president — a potentially significant lever to induce change.
“It ultimately could be a very strong entity if the president wants it to be,” said Rep. Jim Langevin (D-R.I.), a Solarium Commission member who co-wrote the bill.
Michael Daniel, who served as White House cyber coordinator under President Barack Obama, said that ultimately, excluding the intelligence community and defense agencies from the cyber director’s coordination role “is just not plausible” given the law’s requirement that the individual oversee major incident response across the government.
Some see a way forward with a division of labor. The cyber director would implement a national cybersecurity strategy, and coordinate the government’s nonmilitary response, including in cooperation with the private sector, after a major incident. Neuberger would be responsible for developing options to respond to an attack by a foreign adversary, such as cyber-retaliation or sanctions, perhaps in concert with allies.
“These two functions can be complementary and should be,” King said. “I’m not going to fault the administration for moving to shore up our cyberdefenses. I just think they need to take the next step.”
Photo: © Kristoffer Tripplaar for The Washington Post Sen. Angus King (I-Maine), seen in 2018, wants to see the Biden administration name a national cyber director soon.
