A little over a month ago, the White House forced out Tom Bossert, its cybersecurity czar. A week later, cybersecurity coordinator Rob Joyce said he would depart as well. And now, rather than replace either, the Trump administration will do without anyone at the helm of its cybersecurity policy. It couldn’t have picked a worse time.
The news that the newly appointed national security adviser John Bolton has decided to phase out the cybersecurity coordinator role was first reported by Politico. In place of a single point person in charge of guiding and shaping US cyber policy, the task will now fall instead to two National Security Council senior directors. The NSC did not respond to a request for comment.
“At a minimum, this decision and the way that it’s being communicated send the wrong signal,” says J. Michael Daniel, who served as cybersecurity coordinator under President Barack Obama and currently heads up the Cyber Threat Alliance nonprofit. “Certainly I think that our adversaries could interpret that as a signal that this administration doesn’t take the issue as seriously, regardless of if that’s actually their intent.”
In fairness, there’s nothing sacred about the cybercoordinator role, specifically. It didn’t exist before the Obama administration, and other corners of the NSC get along fine with a similar leadership structure to what Bolton has imposed. But the nature of cyberthreats, and the broad responsibilities Bossert and Joyce took on, seem particularly in need of centralized command.
“I think it’s probably fair that there’s more policy work to be done right now on cyber than in certain other areas, because it is in a formative stage,” says Joshua Geltzer, former senior director for counterterrorism at the NSC and executive director of Georgetown Law School’s Institute for Constitutional Advocacy and Protection. “You’re at a point where you’re seeing new sorts of cyberthreats materialize.”
While US intelligence agencies are responsible for responding to those threats specifically, the cyberczar role has been in charge of organizing the political responses to those incidents, such as the March sanctions imposed against Russia for its destructive NotPetya ransomware and other online malfeasance. The position has also spearheaded cybersecurity policy, hardening both federal networks and infrastructure against attacks. It’s a lot of hats—and easier for one person to keep track of them all.
“There’s a reason why you wanted to have a focal point for cybersecurity policy in one position. I think that’s a very valuable thing to have,” says Daniel.
Political leaders have expressed their concerns over the move as well. “It’s frankly mindboggling that the Trump Administration has eliminated the top White House official responsible for a whole-of-government cyber strategy, at a time when the cyber threat to our nation is greater than ever,” says senator Mark Warner (D – Virginia), the ranking member of the Senate Intelligence Committee, in a statement. “Our adversaries are investing heavily in 21st century cyber warfare capabilities, and if we only view national security through a conventional 20th century lens, we’re going to find ourselves unable to respond to increasingly asymmetric cyber threats down the road.”
If anything, the cyberthreats from around the world have only increased. In a Congressional briefing in February, the heads of the NSA, CIA, FBI, and ODNI all testified that Russia would continue its attempts to interfere in US democracy. North Korea unleashed WannaCry ransomware on the world a year ago, and has been continually emboldened online. And with the US withdrawal from the Iran nuclear deal, cybersecurity experts warn that the country could once again target its sophisticated cyberattacks at the US.
“If anything, our enemies are only going to do more, not less,” says Daniel.
To face those challenges—as well as those from independent criminal actors—without a coherent cybersecurity policy in place invites unease.
“Big picture, it certainly seems to send a strange message as to how this White House is prioritizing something most of us think the government needs to prioritize more, when it comes to cyberpolicy,” says Geltzer.
The true impact of the move may not become apparent for some time. In response, House Democrats Tuesday introduced a bill that would create a National Office for Cyberspace, with a director confirmed by the Senate. It’s unclear what chance it might have of passing. And for now, either way, fewer capable people will be focused on big-picture cybersecurity issues at the highest level of government than there were before. It’s hard to see how that makes for an improvement.