Mike Rogers — a former FBI agent, Army officer and member of Congress who chaired the House Permanent Select Committee on Intelligence — changed his mind about whether the U.S. government should have a National Cyber Director.
He was formerly concerned about the expansion of government, he explained, but now he believes instating a National Cyber Director is imperative to protecting the U.S. from cyber threats from criminal and nation-state actors. And he’s not the only one.
Cybersecurity and national security experts unanimously called for Congress to instate a National Cyber Director within the Executive Office of the President at a House Oversight & Reform Committee hearing this week, emphasizing the need for improved coordination across agencies to address rising cybersecurity threats since the start of the COVID-19 pandemic.
“We are one keystroke away from a major cyber incident in the U.S.,” Rogers said. “We think of the big agencies, but we don't think of the smaller ones and the information they have that is pretty sensitive information. They are absolutely under siege today, billions of times a day, someone is getting up with the sole purpose of penetrating the U.S. government at any level. That's happening in a pretty big and significant way, and we're going to need to do something.”
Rep. Mike Gallagher (R-Wis.) and Sen. Angus King (I-Maine), co-chairs of the Cyberspace Solarium Commission, issued a report in March detailing recommendations for the U.S. government to improve its cybersecurity posture. One of the most notable recommendations is a National Cyber Director to coordinate and direct cybersecurity efforts across federal agencies.
Gallagher, King, Rep. Jim Langevin (D-R.I.) and also Rep. Carolyn Maloney (D-N.Y.), who chairs the House Committee on Oversight & Reform, introduced a bill to instate a National Cyber Director at the end of June.
“Ultimately we decided the federal government would be better equipped by strengthening existing [cybersecurity] agencies rather than the creation of a new department,” Gallagher said at this week’s hearing. “The institutionalization of a cyber coordinator position in the White House would be essential to effectively coordinate national strategy and provide much needed leadership internationally, with state and tribal governments and the private sector.”
In 2018, the Trump administration abolished the White House cyber coordinator position. Since then, cybersecurity experts and representatives from cybersecurity-focused agencies — like the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security, the National Security Agency and the FBI — have called for a reinstatement of the position.
Langevin said since the beginning of the coronavirus pandemic, hackers are increasingly targeting U.S. government agencies, private companies and universities working on the coronavirus response and vaccine development. A national coordinator could help streamline and focus efforts to enhance cybersecurity across the .gov and private sector landscapes.
If a large cyber “incident” were to occur, he added, a National Cyber Director could ensure a quick and efficient response.
“I certainly feel a National Cyber Director is the most effective way to prevent and also respond to a cyber incident of significant consequence,” he said at the hearing. “We thought this was the best way to go of the various options we recommended. It doesn't create excessive bureaucracy, it's very streamlined. It's a coordinating authority to make sure everyone is pulling in the same direction in the event of a cyber incident.”
The top concern expressed by members of Congress at the hearing was whether reinstating the position would create more inefficient bureaucracy. Gallagher said the Office of the National Cyber Director would include about 75 staffers. He also clarified this cyber director position as fundamentally different from the previous cyber coordinator position in the White House.
The new position would have the authority to direct federal agencies like DHS, the FBI and the NSA on national cybersecurity matters.
“I think what we're arguing is even with that ante, that cyber coordinator, was not sufficient to get that over-agency oversight you need,” he said. “We want this person to not only have the ear of the president but be a single belly button to push to get answers when it comes to answers.”
Suzanne Spaulding, the former undersecretary for cyber and infrastructure at DHS and now a commissioner for the CSC, said a National Cyber Director position is necessary to prevent unnecessary squabbles over precedence between the cyber-focused agencies like DHS, the FBI, and NSA.
“A National Cyber Director could and must be empowered to address these key coordination challenges with the backing of the president,” she said at the hearing.
During past cyber incidents, DHS, CISA, FBI and NSA would exchange information and then discuss how to prioritize.
"Do we go first and mitigate the problem and address the cyber activity and the damage being done, or put our priority on putting law enforcement in there to do attribution? But both can't happen at once," he said. "The advantage that a National Cyber Director can bring to bear is to deconflict those competing equities quickly. Time is of the essence [during a cyber incident] to make sure we can get in there and do what is most important first.”
Rogers, who was previously concerned about “expanding government” by creating another position in the Executive Office of the President, said the White House and members of Congress shouldn’t be concerned about creating more bureaucracy with a National Cyber Director.
A National Cyber Director will be to cybersecurity efforts what a quarterback is for a football team, he said.
“What I find this bill does that I think was different from previous discussions — it doesn't expand government, which I was really concerned about, but it focuses it,” Rogers said.