Fears, the new homeland security adviser, “clearly has a steep learning curve on cybersecurity issues,” said Ari Schwartz, a former top White House cyber official. In the current White House, she said, “who is the sole person responsible for [ensuring] that agencies across the federal government are making sure that they are not vulnerable to those types of .
The absence of senior cybersecurity leaders in President Donald Trump’s administration may be leaving the United States more vulnerable to digital warfare and less prepared for attacks on election systems, according to lawmakers and experts worried about White House brain drain under national security adviser John Bolton.
Both Republicans and Democrats are expressing concern that the White House is rudderless on cybersecurity at a time when hostile nations’ hackers are moving aggressively, inspiring fears about disruptive attacks on local governments, power plants, hospitals and other critical systems.
POLITICO spoke with nearly two dozen cyber experts, lawmakers and former officials from the White House, the intelligence community and the departments of Justice, Homeland Security, Defense and State about Bolton’s decisions to oust the White House’s homeland security adviser and eliminate its cyber coordinator position. The overwhelming consensus is that Bolton’s moves are a major step backward for the increasingly critical and still-evolving world of cyber policy.
The widely respected cyber policy expert Tom Bossert, Trump’s former homeland security adviser, resigned in April just after Bolton joined Trump’s White House staff. Late last week, Trump named Doug Fears, a former Coast Guard Atlantic region chief of staff, as his new homeland security adviser, but while several sources praised Fears’ handling of disaster response issues, they noted that he is not a cybersecurity expert.
On May 15, Bolton eliminated the post of White House cybersecurity coordinator following the departure of Rob Joyce, who had held the job since shortly after Trump’s inauguration. Bolton’s staff has said cutting the cyber position would “streamline” decision-making in the National Security Council by reducing a layer of management. But other people familiar with the post say it’s setting up the U.S. for problems.
The leadership void erodes “confidence [that] we’re going to be ready, when we get hit by a cyber incident, to react with anything approaching swiftness and decisiveness,” said Chris Painter, who was the State Department’s top cyber diplomat from 2011 to 2017 – a post that former Secretary Rex Tillerson also eliminated early in Trump’s presidency. Painter said he worries about this indecisiveness “being detected by our adversaries.”
Michael Daniel, former President Barack Obama’s cyber coordinator, said the gap in the White House “represents a significant weakness.” And Greg Garcia, DHS’s first assistant secretary for cybersecurity during the George W. Bush administration, said everything that had been moving forward in the federal government regarding cybersecurity is “going to suffer a bit without some central coordination authority.”
As for Fears, said Daniel, “I don’t think that his appointment fundamentally addresses the void in White House leadership on cybersecurity matters . … That’s not his area of expertise, so this Administration still has a problem in that regard.”
Last week, nearly two dozen Senate Democrats sent a letter to Bolton calling the elimination of the cyber coordinator “a step in the wrong direction.” On May 16, the day after the National Security Council announced Bolton’s decision, eight House Democrats implored Trump to name a coordinator who could serve as “a visible figurehead that other government agencies, the private sector, and our allies can turn to for guidance.”
And on May 24, Maine Sen. Susan Collins became the first Republican lawmaker to voice concerns, urging the White House to publish a cyber strategy and saying a coordinator would be vital to its implementation.
Sen. Mike Rounds (R-S.D.), who chairs the Armed Services cyber subcommittee, recently requested a meeting with Bolton to discuss the situation.
“A lot of us are concerned that cyber leadership is missing,” said Rep. Bennie Thompson (D-Miss.), the top Democrat on the Homeland Security Committee. “It’s difficult to execute a mission with no one at the top.”
The White House and its allies defended the moves, saying they didn’t imply any lack of focus on cybersecurity. The Trump administration has taken public steps on cyber issues since Bossert and Joyce’s departures, issuing two alerts from the FBI and DHS about Russian and North Korean hacking.
“Cybersecurity is one of Ambassador Bolton’s highest priorities,” an NSC spokesman told POLITICO, adding that the administration “is focused on addressing the nation’s many cybersecurity challenges, not in laboring beneath layers of unnecessary and time consuming bureaucracy.”
Panic over the restructuring in the NSC is premature, said Rep. John Ratcliffe (R-Texas), chairman of the House Homeland Security cyber subcommittee. “How do we know that the organization chart isn’t going to be restructured and they’re going to create a new, different position that they feel is better suited to address cybersecurity as a priority?”
Fears, the new homeland security adviser, “clearly has a steep learning curve on cybersecurity issues,” said Ari Schwartz, a former top White House cyber official. But Schwartz and others said Fears was competent and well-respected, which would serve him well in coordinating agency discussions.
Still, said Healey, “unless Doug Fears insists on reestablishing a senior role for cybersecurity, he will be using [his] disaster recovery experience to deal with one cyber crisis after another.”
Jeanette Manfra, the DHS assistant secretary for cybersecurity and communications, downplayed the negative consequences of eliminating the coordinator role. Speaking at a recent conference, she said agencies were ready for “a different type of governance” in which they made more policy decisions themselves.
Still, worries about the gaps in the White House’s cyber leadership have seeped into the private sector.
One former congressional staffer recalled meeting with a senior financial services executive when Bossert’s resignation became public. “He was despondent,” said the former staffer, who requested anonymity to discuss a private meeting. The executive, who “kept shaking his head,” told the staffer that the financial sector had “essentially written [the White House] out” of its incident response plan “because there was ‘nobody to work with.'”
Security researchers, on whom the government often depends for insights into evolving threats, were also frustrated. “The elimination of the [coordinator] position after [Joyce’s] departure confirms my worst fears – the administration is absolutely unwilling to listen to cybersecurity experts,” said former NSA hacker Jake Williams, the founder of the security firm Rendition InfoSec.
Since the Obama administration created the White House cyber coordinator role in 2009, the position has been key in resolving conflicts among agencies, preparing Cabinet leaders to make major policy decisions and responding to crises, according to cyber experts and former government officials who spoke to POLITICO.
Those experts conceded that agencies’ day-to-day operations will proceed normally – including the bulk of DHS’s work on election security and protection of critical infrastructure such as banks and the electric grid, and the Pentagon’s various operations in cyberspace.
But they said it will likely become increasingly difficult to bring agencies together to formulate big-picture strategies, such as how best to use America’s potent cyber capabilities – the intelligence community and the military often spar over this issue – how to more effectively deter adversaries like Russia from launching cyberattacks, and how to improve existing efforts like DHS’s security partnerships with states. Other debates requiring input from multiple agencies, such as how hard the government should press tech companies to use warrant-compatible encryption, will also stall, they said.
“If you don’t have those individuals really pounding the table . to drive that policy process,” said Lisa Monaco, Obama’s second homeland security adviser, “you’re not going to get those options surfaced, teed up, and decisions made.”
Michael Bahar, a former Democratic staff director on the House Intelligence Committee and top lawyer at the NSC, stressed that the coordinator’s role is far from trivial, especially in forming and executing an “an all-of-government strategy” across various agencies. “Because the bad guys or adversaries are certainly not waiting around for us to restructure,” he said.
The White House maintains that government-wide discussions on cyber have not suffered.
“With the existing structure, the administration continues to hold malicious cyber actors accountable, modernize federal networks, plan for tomorrow’s cyber-workforce and promote cybersecurity to both the public and industry,” said the NSC spokesman.
But recent events have bolstered experts’ concerns that an NSC devoid of top cyber officials might have trouble resolving agency disagreements about the language of key reports or major executive orders. Already, White House turmoil delayed by three weeks the publication of key strategy documents that Trump asked agencies to put together in a May 2017 executive order. Several of those reports finally appeared last week, but without any accompanying message from the White House explaining how it would use the documents to develop new policies.
“It is hard to imagine the indefinite postponement of a marquee event such as that would have happened if Bossert/Joyce were still at the [White House],” said a tech industry lobbyist familiar with internal administration dynamics, who requested anonymity to speak candidly.
Daniel, the former Obama cyber coordinator, also feared that the gaps will cause “operational impacts” if one agency wants to launch a campaign – like a botnet takedown, a series of arrests or a military strike – that will affect the priorities and interests of other agencies.
“Those may not be getting resolved very quickly,” he said, “and so operations may have to be put on hold.”
But on the other hand, some experts worry that agencies will begin acting more boldly on their own if they see delays and gridlock in the NSC process. That “increases the risk that consequential [agency] decisions fly under the NSC’s radar, thus increasing the risk that the White House becomes blindsided by decisions made without its full awareness and input,” said DJ Rosenthal, a former Justice Department and intelligence community official who served as director for counterterrorism at the NSC.
The lack of a cybersecurity coordinator may become especially acute in a crisis. For instance, Monaco pointed to Daniel’s role in leading the response to the massive hack of the Office of Personnel Management that came to light in 2015, which exposed highly sensitive security clearance documents on more than 20 million current and former federal employees and applicants. That break-in was widely believed to be the work of Chinese hackers.
“Those discussions had to come together, at the first instance, [through] the cyber coordinator, and then ultimately to [Cabinet secretaries],” Monaco said. “But you needed one person driving that.”
Monaco also praised Daniel for his handling of Heartbleed, a major security bug that required rapid evaluations of federal computer systems. In the current White House, she said, “who is the sole person responsible for [ensuring] that agencies across the federal government are making sure that they are not vulnerable to those types of . legacy vulnerability?”
Experts also worry that the lack of a coordinator will complicate the administration’s efforts to protect elections.
DHS has been “leaning forward” in its day-to-day consultations with states to prepare for this year’s midterm elections, said Frank Cilluffo, director of the George Washington University Center for Cyber and Homeland Security, but he said the government lacks a more strategic approach. “Disinformation, active measures – that’s more than just a DHS mission,” he said. “That’s an FBI mission. That can be an intelligence mission overseas.”
White House officials must knit all those efforts together, he said.
Jeh Johnson, Obama’s second homeland security secretary, said the government needs “senior people leading the cybersecurity charge. . At the White House level, there appears to be no one running traffic control.”
The lack of a cyber coordinator will also hamper the administration’s efforts to promote international norms and build alliances on digital security issues, said Painter, who played a key role in getting the G-20 to formally disavow cyber-enabled intellectual property theft. That “never would have gotten done” without the involvement of senior White House officials, he said.
The same was true of a 2015 deal in which China and the U.S. both agreed not to hack each other’s computer systems for economic gain. “That was about two years of consistent pressure not just by me but by the highest levels of our government,” he said.
And White House officials have been key to resolving debates between the military and the intelligence community on how and when to use their increasingly powerful cyber tools, the experts said. The Pentagon often wants to loudly and publicly disrupt enemy networks, while the spies would prefer to keep their capabilities secret and use them for intelligence collection.
Developing national strategies to deter nation-states or criminal hackers from carrying out cyberattacks in the first place also requires White House coordination. In addition, the coordinator and homeland security adviser have been key to promoting the White House’s broad cybersecurity agenda to the public, through interviews and at industry conferences.
Several experts made the analogy to the corporate world: If boards of directors are focused cybersecurity, C-suite executives have to focus on it, which means mid-level managers have to focus on it, too.
“That’s how you create a culture of cybersecurity,” said Bahar, the former NSC and House Intelligence staffer. “If you don’t have it at the board level, or the equivalent in government, then you risk not having cyber receive sufficient attention that it needs.”
Martin Matishak contributed to this report.
Be First to Comment