More than two months after taking office, President Joe Biden has yet to nominate a national cybersecurity director, even as the federal government deals with the massive SolarWinds breach announced late last year.
Several lawmakers and cybersecurity experts are pushing the Biden administration to name a cybersecurity director to be in charge of federal cybersecurity policy and strategy. The new job, created in the 2021 National Defense Authorization Act passed on Jan. 1, would take on some of the White House cybersecurity coordinator’s responsibilities, a position eliminated in 2018 during former President Donald Trump’s administration.
The nomination, however, is complicated because Congress hasn’t yet provided funding for the 75-person office that the director would lead. Also, the Biden administration is working to ensure that the director has authority to lead an interagency response to cybersecurity issues that would include the intelligence community and the military, said a person with knowledge of the administration’s efforts.
Still, it is “incredibly important” for the Biden administration to appoint a new cybersecurity director, said Rep. Jim Langevin, a Rhode Island Democrat, who had sponsored a bill to create the position.
“The steady stream of significant cyber incidents we have seen in recent months underscore our vulnerability to China and Russia,” he said in a statement responding to questions from the Washington Examiner. “We need someone at the White House in charge of coordinating our cyber defenses, both during an incident and in preparation for one. Our adversaries are not sitting still.”
While a new cybersecurity director won’t solve all cybersecurity problems, “it is a lynchpin in reducing our cyber risk, and every day the president delays puts us more at risk,” he added.
Langevin said the Biden administration should consider three people as leading candidates for the position. They are Chris Inglis, former deputy director of the National Security Agency; Suzanne Spaulding, former undersecretary at the Department of Homeland Security and head of the agency’s National Protection and Programs Directorate; and Michael Daniel, former special assistant to President Barack Obama and cybersecurity coordinator on the National Security Council. The director will need to be confirmed by the Senate.
Independent Sen. Angus King of Maine has also called on Biden to appoint a director. King served as co-chairman of the Cyberspace Solarium Commission, which recommended the position. “This isn’t optional; this is a matter of settled law,” a King spokesman said.
The White House didn’t immediately respond to a request for comments on efforts to fill the position.
Cybersecurity is a top priority for the Biden administration, said Emily Horne, a White House National Security Council spokeswoman. The administration has taken a “whole-of-government,” 60-day review in response to the SolarWinds attack. It is working on an executive order to make “fundamental improvements” to national cybersecurity, she told the Washington Examiner.
“Like Congress, we are committed to the defense of the nation’s cybersecurity,” she added. “We understand the intense interest in the outcome of this review. However, this work is too important to rush, and we must get it right for the American people.”
Several cybersecurity experts echoed the push from Langevin and King.
“In this day and age, having someone own the cybersecurity policy is absolutely critical,” said Purandar Das, CEO and co-founder at Sotero, a cybersecurity vendor. “Cybersecurity is a critical part of the nation’s defense and offense. It is a matter of national security that should be owned by a qualified individual.”
The country needs a leader to manage all aspects of cybersecurity policy, he added. “The ability and desire of state-sponsored groups to cause both economic harm and in some instances attempt to manipulate the foundations of the country’s democracy has been well documented,” he told the Washington Examiner.
The new director will head an office of 75 people at the White House. The cybersecurity director will serve as the “principal advisor to the president on cybersecurity policy and strategy,” including incident response, cybersecurity diplomacy, and coordination of defensive strategies for the government and critical infrastructure operators.
It’s “essential” to get a director in place, said Richard Blech, founder and CEO of XSOC, an encryption vendor. “The country is under daily attack from nation-state bad actors, China, Russia, and Iran, to name a few,” he told the Washington Examiner. “The federal government and all of its departments and agencies is massive both in complexities and in people.”
Cybersecurity policy and response need leadership from the top of the federal government, he added. “Since a significant majority of breaches in the public sector involve human error and not technology, it is highly important that the new director provide broad deployment of up-to-date information and insist on all participants that handle digital data to be fully educated in cybersecurity best practices and hygiene,” he said.
Meanwhile, Blech said the lack of a director presents “bad optics” both to U.S. residents and to adversaries elsewhere. “The lack of a director looks like we either do not have a concern or are unorganized, neither is good and would likely lead to confusion and even power grabs in a highly partisan political environment that would leave us vulnerable to be exploited while there is a lack of leadership in place,” he added. “We need to be prepared and preemptive, not reactive, chasing a solution after the damage of a breach is already done.”
