SolarWinds Hack Shows Why We Need a National Cyber Director

Last year Congress held multiple hearings to determine whether the U.S. needs a White House-appointed National Cyber Director. A National Cyber Director, some argue, could more effectively coordinate federal responses to major cyber attacks and develop in-house expertise to advise the president and federal agencies on national cyber policy.

After FireEye found the Sunburst malware in SolarWinds software in December, cyber experts raised the rallying cry again: we need a National Cyber Director to develop a cohesive cyber strategy to address long-standing vulnerabilities and lead management of cyber incidents when they occur.

“We recognized a dependency on a set of technologies we don’t secure well,” said Atlantic Council’s Trey Herr during GovernmentCIO Media & Research’s Infrastructure: Security event this week. “People have been talking about supply chain security for more than a decade, but bringing robust (policy to that risk) has been lacking. SolarWinds shows how much we need to be thinking about risk as a holistic construct. I’m not just thinking about the risk of two products, but two chains of products going back to those vendors. The December event showed us how far back those chain dependencies go and how aggressive we need to be thinking about the landscape.”

Herr, who leads the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council, said the SolarWinds hack “redoubled the need and insistency” for a National Cyber Director.

“In some ways it’s unprecedented, but to have an entity that reports directly to the president that has 75 seats and a budget and the ability to work with both federal and private-sector problems, it’s really a significant opportunity,” Herr said. “It underlines the significance with which public and private partnership needs to mature. It’s more than regulating the private sector and trying to manage risk … it’s really a partnership in designing and deploying tech to minimize low probability for incredibly high consequence failures. A vision from a single office and coordinator like that will be really important.”

If President Biden chooses to appoint a National Cyber Director, there are a few priorities Herr says should be at the top of the new director’s to-do list. One is building a good relationship with cloud service providers (CSPs), because the division of security responsibilities between organizations and their CSPs becomes increasingly nebulous.

“Keeping the house from burning down is priority zero, but first [priority] is the relationship with major scale cloud service providers in the U.S.,” Herr said. “[Cloud] enables graduated IT spend and specific feature acquisition that large organizations want to buy into. It enables some opportunities on the security side as well to do sophisticated analytics on a much wider set of data. Cloud computing means they’re embracing architectures they may not be familiar with. Realistically, the tradeoff that’s being made here is users and organizations are sharing responsibility with a cloud provider, and the line of where that sharing happens is a significant one. The line between provider and organization is a lot fuzzier than it once was.”

The second priority, Herr said, is “taking significant steps to empower the federal CISO and all agency CISOs within the federal government.”

“This is an opportunity for the National Cyber Director to not only rationalize behaviors, but also support them and empower partners across the fed enterprise,” he said. “The National Cyber Director office size, 75 staff, means there are opportunities to build clusters of expertise and build out networks outside the federal government. One example is the TIC working group. That’s a very technically focused set of issues. It also really asks some fundamental architecture questions of how we build and operate. I think there’s an opportunity not just to make new rules, but streamlining and simplifying and getting rid (of rules). The National Cyber Director, because they report to the president and work alongside the national security advisor, are going to be able to drive parts of the national agenda … around cybersecurity.”

More broadly, a National Cyber Director should lead federal agencies to accelerate their cyber defense activities.

“The speed of defensive activities is determined by budget cycles, risk management platforms and lengths,” Herr said. “There’s a series of regulatory and cybersecurity mechanisms that exist within the federal enterprise that are targeting threats and working at a pace that might have been effective 10 years ago, but really are not keeping up with the risks that are being assumed from nonmalicious code, certain programs do not keep pace with the rate at which that code is developed. We’re trying to prioritize the way defenders think and move that matches the way offensive enemies think and move.”

A National Cyber Director can also prioritize assets and data, and build expertise to make those decisions, something Congress doesn’t have the resources or the responsibility to do.

“It’s an opportunity to concentrate expertise and build strategy, things Congress is not built for,” he said. “When we talk about holistic risk in certain cases, it suggests we’re trying to defend everything, which we know is a recipe to defend nothing. Identifying risks and working back to understand its source to find the most efficient way to remove it. Efficiency and prioritization matter as much as anything else. We’re going to leave some systems behind. We have to accept that.”