Cyberspace Solarium Commission Legislators Renew Call for National Cyber Director in Light of GAO Report

Sep 22, 2020 Issues: Cybersecurity

WASHINGTON — Cyberspace Solarium Commission co-chairs Senator Angus King (I-ME) and Congressman Mike Gallagher (R-WI) and Commissioners Senator Ben Sasse (R-NE) and Congressman Jim Langevin (D-RI) renewed their call for strong cyber leadership in the White House – a sentiment reinforced today by the Government Accountability Office (GAO) report 20-629, entitled: “Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy.” The GAO report includes a recommendation that Congress take up legislation designating a cyber leadership position within the White House. The Solarium Commission made a similar recommendation in its March report, and in June, Langevin and Gallagher introduced H.R. 7331, the National Cyber Director Act, implementing that recommendation. A version of the National Cyber Director Act passed the House of Representatives as part of the Fiscal Year 2021 National Defense Authorization Act in July.

“Today’s GAO report is further confirmation of the Solarium Commission’s conclusion that strong, central leadership is needed to address increasing cyber threats,” said the legislators. “We strongly support GAO’s recommendation that Congress enact legislation designating a leadership position in the White House for cybersecurity, complete with the authority and stature required to coordinate and integrate federal actions. We look forward to continuing to work with our colleagues to advance legislation creating a National Cyber Director to do just that and help overcome the urgent challenges we face in cyberspace.”

The National Cyber Director Act creates the position of a National Cyber Director within the White House. The Director would serve as the President’s principal advisor on cybersecurity and associated emerging technology issues and function as the lead national-level coordinator for cyber strategy and policy. The National Cyber Director would be appointed by the President subject to Senate confirmation and would oversee and coordinate federal government incident response activities, collaborate with private sector entities, and attend and participate in meetings of the National Security Council and Homeland Security Council. The Director would develop and oversee implementation of a National Cyber Strategy to defend the nation’s interests and critical infrastructure against malicious cyber actors.

Selected passages from the GAO Report “Cybersecurity: Clarity of Leadership Urgently Needed to Fully Implement the National Strategy:”

  • Congress should consider legislation to designate a leadership position in the White House with the commensurate authority—for example, over budgets and resources—to implement and encourage action in support of the nation’s cyber critical infrastructure, including the implementation of the National Cyber Strategy.”
  • “We recently reported that when faced with threats of unprecedented scale, such as the COVID-19 pandemic, a whole-of-government response is required. Moreover, clearly defining roles and responsibilities for the wide range of federal departments and other key players becomes critically important in order to overcome such challenges. We also have previously reported that the single most important element of successful government improvement initiatives—such as strategic efforts to address major challenges like ensuring the cybersecurity of the nation—is the demonstrated commitment of top leaders. Federal standards for internal control in the federal government also emphasize the importance of maintaining leadership continuity in order to achieve agency objectives. For these reasons, and others, we have highlighted the need to ensure that top leadership drives transformation and establishes dedicated teams to manage transformation processes….

“The White House identified the NSC as the organization responsible for coordinating the implementation of the National Cyber Strategy. However, since the elimination of the position of the White House Cybersecurity Coordinator in May 2018, it has remained unclear what official within the executive branch ultimately maintains responsibility for not only coordinating execution of the Implementation Plan, but also holding federal agencies accountable for the nearly 200 activities moving forward….

“Without a clearly defined central leader to coordinate activities, as well as a process for monitoring performance on the Implementation Plan activities, the White House cannot ensure that entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy and, ultimately, overcome this urgent challenge.”

  • The executive branch’s leadership of the National Cyber Strategy’s implementation is unclear, even though an implementation plan was developed. Specifically, though the Implementation Plan describes a coordination structure to support the implementation of the strategy, the executive branch’s process and entity responsible for ensuring that the strategy’s goals are achieved has not been fully defined. Further, the Implementation Plan assigned cybersecurity-related activities to federal entities. However, neither the strategy nor the Implementation Plan articulate how the White House can hold these entities accountable for accomplishing their assigned activities.”
  • “Without a risk assessment, including an analysis of the threats to, and vulnerabilities of, critical assets and operations, the executive branch is unable to adequately make informed management decisions about resource allocations required to minimize risks and maximize returns on resources expended.”

More information on the National Cyber Director Act.

More information about the Cyberspace Solarium Commission Report and the Pandemic White Paper highlighting the need for National Cyber Director.

GAO Report 20-629.