RIP Cyber Coordinator: An Obituary

By Jason Healey

Jason Healey is a Cipher Brief Cyber Advisor and Senior Research Scholar at Columbia University’s School for International and Public Affairs, and Visiting Scholar at the Hoover Institution at Stanford University, specializing in cyber conflict and risk. He started his career as a U.S. Air Force intelligence officer, before moving to cyber response and policy jobs at the White House and Goldman Sachs. Healey was founding director for cyber issues at the Atlantic Council where he remains a Senior Fellow and is the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012. He is on the DEF CON review board and served on the Defense Science Board task force on cyber deterrence.

Rest in peace, Cyber Coordinator. The White House’s Special Assistant to the President and Cyber Coordinator has now been eliminated, apparently ending (or more likely pausing) a two-decade history. It will widely be reckoned as a hideous mistake but not perhaps the one which most needs our immediate attention.

The position of cyber coordinator dates back to recommendations from the pivotal President’s Commission on Critical Infrastructure Protection (PCCIP) of 1997, which reported that “capability to do harm—particularly through information networks—is real; it is growing at an alarming rate; and we have little defense against it” and therefore recommended “a top-level policy making office in the White House” for cyber and infrastructure protection.

The following year, President Bill Clinton picked up this recommendation in PPD-63: a “National Coordinator [for cyber and infrastructure protection] will be appointed by me and report to me through the Assistant to the President for National Security Affairs,” that is, working in the White House and reporting through his National Security Advisor (APNSA).

The National Coordinator so chosen was Richard A. Clarke, then the counter-terrorism coordinator and the only person to hold the role that lived up to the billing of “Cyber Czar.” (Though my colleague Bob Gourley quipped nearly a decade ago that the United States has long had a cyber czar: Vladimir Putin, as his spies are in so many US networks.) Within the White House, the early cyber role fell under infrastructure protection, with Howard Schmidt being an early advisor, in 2001, as was Marc Sachs and other now-famous cyber luminaries.

When I arrived at the White House in 2003, my title flip-flopped a bit between Director of “Critical Infrastructure Protection” or “Cyber Infrastructure Protection” depending on the day’s agenda. Paul Kurtz and Paul Nicholas held the job of Special Assistant to the President (or Senior Director) for Critical Infrastructure Protection, reporting not to the National Security Advisor, but the post-9/11 role of Assistant to the President for Homeland Security and Counterterrorism (APHSCT). After I departed, Tom Bossert (a future APHSCT himself) joined the office.

The office only handled some cyber issues. Some parts of response and recovery was overseen by another group, soon to be run by Kirstjen Nielsen (now the Secretary of DHS), while the oversight of cyber offense and intelligence were run from the NSC directorates handling those issues, and reporting separately to the National Security Advisor.

The process of an independent Cyber Coordinator bringing together all this work perhaps began with the work by Melissa Hathaway and others on the Comprehensive National Cybersecurity Initiative, a massive (and then-classified) effort of the administration of George W. Bush for an “enduring and comprehensive approach to cybersecurity that anticipates future cyber threats and technologies and involves applying all elements of national power and influence to secure our national interests in cyberspace.”

The new administration of Barack Obama continued the work of CNCI but named Hathaway as Acting Senior Director for Cyberspace, reporting to both the national security and homeland security advisors, to develop a new 60-Day Cyberspace Policy Review. Most critically, the document was clear that “The White House must lead the way forward,” with “leadership that draws upon the strength, advice, and ideas of the entire Nation.”

Accordingly, the top recommendation was “Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official [and] to coordinate interagency development of cybersecurity-related strategy and policy.” By the end of the year, President Obama had brought Howard Schmidt back to the White House to fulfill this pledge.

Schmidt held the job for nearly two years before being replaced by Michael Daniel, an official from the Office of Management and Budget, in 2012. After the election of Donald Trump, Rob Joyce, from the National Security Agency, took the job in March 2018 and reported to Tom Bossert, the Homeland Security Advisor, until Bossert’s sudden ouster by John Bolton, President Trump’s third National Security Advisor in only fifteen months.

Collectively these Cyber Coordinators (and their predecessors) have overseen an amazing amount of work: countless new policy directives, strategies, and initiatives that have helped meet the challenge noted by the PCCIP in 1997.

Since 2009, what these officials had in common was a united directorate overseeing all aspects of cyber, both defensive and offensive, so they were relatively strong bureaucratic players, able to work the “interagency process” to bring the various departments and agencies together. This is the first and main casualty of the Trump administration’s elimination of the position.

The loss will perhaps most quickly be felt in cyber incident response, as the Cyber Coordinator oversaw the Cyber Response Group to handle routine and emergency cyber crises. It also will mean that whichever department currently most has the President’s ear will likely most get its way – right now in cyber policy, that most likely means the Department of Defense. The normal interagency process to balance these interests and options will be seriously weakened. Federal cybersecurity, international coordination, cyber workforce … all will be hampered.

The White House has not needed to “streamline authority” because “cyber coordination is already a core capability,” as it was put in the memo announcing the change to the NSC.     In fact, both of the most recent major policy commissions (one by the CSIS think tank and the other led by Tom Donilon and Sam Palmisano) recommended elevating the role of coordinator to be its own Assistant to the President, not eliminating it.

The Bolton position seems to be for a smaller, leaner NSC to better empower the Cabinet. However, this only makes sense when the Cabinet is functioning smoothly and well, not something that can easily be said for the first 15 months of the Trump administration. When the Cabinet is chaotic, the White House must be larger and stronger, to be able to effectively convene and bring the clashing departments and agencies together. That cannot be done by demoting the person in charge.

Bolton is not just getting rid of the Cyber Coordinator role. So far, no replacement have been named for the even more important Homeland Security Advisor position. The APHSCT didn’t just oversee cybersecurity, but other critical issues like hurricane response as well.

As a former White House cyber official noted to me, if this position is also eliminated, it means that working homeland security issues will have no direct access to the President; no direct access to the National Security Advisor, having to go through the Deputy, Mira Ricardel (who has little or no homeland security or cyber expertise); and no participation in senior staff meetings. This equates to the bureaucratic wilderness.

National security and homeland security (including cyber) are not alike. As former DHS deputy secretary Jane Lute puts it, national security is “strategic, centralized, top-driven; it’s about all of us,” while “homeland security is operational, decentralized, bottom-driven; it’s about each of us.” Moreover, in national security “there’s unity of command. In homeland security, it’s a unity of effort.”

These differences are critical. Eliminating the position of Cyber Coordinator is a step back and one that will certainly be reversed in future, whether by this president or the next. The possible elimination of the Homeland Security Advisor is even more questionable. Storm season is coming, either a metaphorical cyber storm or a literal hurricane. This White House is far less able to deal with either.

Related Articles