A little over a month ago, the White House forced out Tom Bossert, its cybersecurity czar. A week later, cybersecurity coordinator Rob Joyce said he would depart as well. And now, rather than replace either, the Trump administration will do without anyone at the helm of its cybersecurity policy. It couldnâ€™t have picked a worse time.
The news that the newly appointed national security adviser John Bolton has decided to phase out the cybersecurity coordinator role was first reported by Politico. In place of a single point person in charge of guiding and shaping US cyber policy, the task will now fall instead to two National Security Council senior directors. The NSC did not respond to a request for comment.
â€œAt a minimum, this decision and the way that itâ€™s being communicated send the wrong signal,â€� says J. Michael Daniel, who served as cybersecurity coordinator under President Barack Obama and currently heads up the Cyber Threat Alliance nonprofit. â€œCertainly I think that our adversaries could interpret that as a signal that this administration doesnâ€™t take the issue as seriously, regardless of if thatâ€™s actually their intent.â€�
In fairness, thereâ€™s nothing sacred about the cybercoordinator role, specifically. It didnâ€™t exist before the Obama administration, and other corners of the NSC get along fine with a similar leadership structure to what Bolton has imposed. But the nature of cyberthreats, and the broad responsibilities Bossert and Joyce took on, seem particularly in need of centralized command.
â€œI think itâ€™s probably fair that thereâ€™s more policy work to be done right now on cyber than in certain other areas, because it is in a formative stage,â€� says Joshua Geltzer, former senior director for counterterrorism at the NSC and executive director of Georgetown Law Schoolâ€™s Institute for Constitutional Advocacy and Protection. â€œYouâ€™re at a point where youâ€™re seeing new sorts of cyberthreats materialize.â€�
While US intelligence agencies are responsible for responding to those threats specifically, the cyberczar role has been in charge of organizing the political responses to those incidents, such as the March sanctions imposed against Russia for its destructive NotPetya ransomware and other online malfeasance. The position has also spearheaded cybersecurity policy, hardening both federal networks and infrastructure against attacks. Itâ€™s a lot of hatsâ€”and easier for one person to keep track of them all.
â€œThereâ€™s a reason why you wanted to have a focal point for cybersecurity policy in one position. I think thatâ€™s a very valuable thing to have,â€� says Daniel.
Political leaders have expressed their concerns over the move as well. â€œItâ€™s frankly mindboggling that the Trump Administration has eliminated the top White House official responsible for a whole-of-government cyber strategy, at a time when the cyber threat to our nation is greater than ever,â€� says senator Mark Warner (D – Virginia), the ranking member of the Senate Intelligence Committee, in a statement. â€œOur adversaries are investing heavily in 21st century cyber warfare capabilities, and if we only view national security through a conventional 20th century lens, weâ€™re going to find ourselves unable to respond to increasingly asymmetric cyber threats down the road.â€�
If anything, the cyberthreats from around the world have only increased. In a Congressional briefing in February, the heads of the NSA, CIA, FBI, and ODNI all testified that Russia would continue its attempts to interfere in US democracy. North Korea unleashed WannaCry ransomware on the world a year ago, and has been continually emboldened online. And with the US withdrawal from the Iran nuclear deal, cybersecurity experts warn that the country could once again target its sophisticated cyberattacks at the US.
â€œIf anything, our enemies are only going to do more, not less,â€� says Daniel.
To face those challengesâ€”as well as those from independent criminal actorsâ€”without a coherent cybersecurity policy in place invites unease.
â€œBig picture, it certainly seems to send a strange message as to how this White House is prioritizing something most of us think the government needs to prioritize more, when it comes to cyberpolicy,â€� says Geltzer.
The true impact of the move may not become apparent for some time. In response, House Democrats Tuesday introduced a bill that would create a National Office for Cyberspace, with a director confirmed by the Senate. It’s unclear what chance it might have of passing. And for now, either way, fewer capable people will be focused on big-picture cybersecurity issues at the highest level of government than there were before. It’s hard to see how that makes for an improvement.
More Great WIRED Stories