Experts agree that uncertainty over U.S. cyber security leadership is affecting government capacity to respond to the growing universe of cyber threats. Despite bipartisan support for the creation of a National Cyber Director, based on reports from the Cyberspace Solarium Commission (CSC), the Government Accountability Office (GAO), and others, as well as passage by the House as part of the National Defense Authorization Act (NDAA) in July, progress appears stalled in the Senate, which has called for further study of the issue.
A new report by SPA faculty members Sasha Cohen O'Connell and Kiran Raj provides a plan to break the impasse and call for immediate action. In The United States Needs a National Cyber Director: A Roadmap for Making it Happen in 2021, O’Connell and Raj recommend that the position be immediately created, and filled within the first 100 days of the next presidential administration.
“We took on the development of this guide to help move forward the process of creating a National Cyber Director (NCD) by summarizing the current thinking on the issue and providing concise recommendations and implementation priorities,” states the report, available publicly on October 5.
A precursor to the NCD position existed in the past, but was eliminated in 2018 in a general downsizing of the National Security Council, leaving multiple disparate agencies, such as the DHS, DOJ, and DOD to coordinate a complicated cyber policy and operations effort without a central coordination function. O’Connell and Raj argue for rebuilding better, and smarter. Instead of developing a new cyber agency or replacing existing departments, they advocate for the creation of a high-level White House entity that coordinates cyber operations and policy across the entire federal government and represents a consistent voice to external stakeholders.
“It is not just about the return of a cyber coordinator as we have known the role” said O’Connell. “We are endorsing the idea of enhanced responsibilities and authorities and also making [the director] an Assistant to the President, which is a significant change. We have laid out a roadmap, a concise summary of what’s been said and done previously, where we are today, additional implementation recommendations, and a prioritized action plan and decision document.”
O’Connell’s academic and professional background gives her particular insight into the organizational problems and solutions posed by the structure of cyber coordination. Currently an executive in residence and the director of the Terrorism and Homeland Security Policy Master’s program at SPA, she earned her MPA and PhD at AU, then spent years rising in the ranks of the Federal Bureau of Investigation, with senior positions in the Strategy Management Office and the Criminal Investigative Division. More recently, O’Connell served as the organization's Chief Policy Advisor for Science and Technology and as Section Chief of the Office of National Policy. This last role, the first of its kind, led to intensive policy engagement with the National Security Council.
“While I was in that role, we worked on issues like the development of what became Presidential Policy Directive PPD 41, which articulates the roles and responsibilities of executive branch agencies and the White House for cyber critical incident response,” said O’Connell. “Throughout that process, along with similar processes focused on international hostage taking and even Arctic policy, I came to really appreciate the role the White House can and should play in supporting the expertise and energy in the departments and agencies and ensuring strategic efforts are coordinated.
Co-author Kiran Raj, JD is a senior executive in a financial technology company with experience in private legal practice and as Deputy General Counsel at the Department of Homeland Security, working directly with leaders of corporate America on the intersection of cybersecurity and privacy with law, policy, and technology. He held a similar role at the U.S. Department of Justice, as Senior Counsel to the Deputy Attorney General. Raj’s engineering and government experience combines with deep practical expertise to advise on the legal and technical aspects of the NCD recommendation.
“As an engineer working in private practice and then a lawyer working in DOJ and DHS on national security and cybersecurity matters, I saw first-hand how important it is to have senior leaders understand technology issues and be able to grasp the threat and possible solutions quickly and efficiently,” said Raj.
The demand for trained cyber professionals has transformed higher education over the last decade. O’Connell and Raj are part of a growing cyber curriculum at SPA currently offering undergraduate and graduate classes in cyber policy and cyber threats and security.
“One of SPA’s big differentiators is that we are practitioner-informed in everything we do,” said O’Connell. “To understand cyber policy issues we need to understand the players, structures as well as policy issues. So [the report] is very connected to the work we’re doing in the classroom.” In classic hands-on fashion, SPA graduate students Amber Smoyer and Bailey Fillinger and alumna Moriah Kairouz Batza contributed to the NCD report.
The United States Needs a National Cyber Director: A Roadmap for Making it Happen in 2021 reviews the relevant literature, details recommendations for structural changes, and is specific in noting the steps required to get there by spring. The report provides clarity on the national cyber director question.
“As the cyber threat continues to increase and become more sophisticated, it is even more important for the federal government to have a senior adviser to the President for cybersecurity matters” said Raj.
He and O’Connell hope that this package will also inform the current work happening in both the Trump and Biden transition teams in terms of setting priorities. Cyberspace Solarium Commission Executive Director Mark Montgomery agreed on report’s value, and the urgent nature of its recommendations.
"This report is an excellent review and assessment of the ongoing debate and literature surrounding the NCD position,” offered Montgomery. “It validates the Commission's position that an NCD is critical to the effective development, implementation, and oversight of a national cyber strategy."
“We can't keep talking about this for another four years,” said O’Connell. “We've looked at all the data, all the research, and all the findings, and have laid out what it should look like. You can pick pieces from the menu. But we don't need to study this anymore.”
Raj seconded this sense of urgency. “Now is the time to act,” he said.