At the end of 2019, it was announced that the CEO of the UK’s National Cyber Security Center (NCSC), Ciaran Martin, was to step down from his position having led the NCSC since it opened in 2016.
In an email sent to Infosecurity at the time of writing, the NCSC had no further details on Martin’s departure date or potential replacement, and that may have (understandably) been down to the various uncertainties surrounding the COVID-19 pandemic. However, it does leave the issue open with regards to who will be responsible for the UK’s cybersecurity strategy and response when Martin does depart.
Prior to the opening of the NCSC, it seemed that there were a collection of people responsible for cybersecurity in central government. These included those at GCHQ (where Martin worked previously) and MPs including James Brokenshire and Francis Maude, figures at CERT-UK along with the Ministry of Defense, Cabinet Office and Home Office. What cybersecurity needs at a government level is to have a figurehead of responsibility, and it does seem that the UK is one of the nations which has achieved this via Martin.
So, it was interesting to read an article in the Washington Post in June which claimed that a bipartisan group of lawmakers were looking to create a new White House czar to lead cybersecurity decision-making throughout government in the US.
The bill the article cited claims that the individual would make cybersecurity recommendations directly to the President, as well as oversee cybersecurity plans, operations and budgets in the government.
The bill proposes “to establish the Office of the National Cyber Director” who will be appointed by the President “by and with the advice and consent of the Senate.” The duties that the bill lists are plentiful, including serving as the principal advisor to the White House on cybersecurity strategy and policy, along with developing the US national cybersecurity strategy.
There would also be the duty to make relevant recommendations to the President on the appropriate level of integration and interoperability across the Federal cybersecurity operations centers, while they would also lead “interagency planning for the Federal government’s integrated response to cyber-attacks and cyber-campaigns of significant consequence.”
The sponsors of the new legislation were reported as saying that cybersecurity leadership is “one of the glaring gaps in our national strategy,” and that it was “the best way of ensuring vital cybersecurity work across the government is actually completed.” They notably asked “how are we going to prevent the next office of personnel management (OPM) breach if we don’t have someone really coordinating?”
Those comments were made by James R. Langevin, who is the US representative for Rhode Island’s second congressional district and one of the bill’s main sponsors. He called the OPM breach “an intelligence loss that we’ll be feeling for a generation.
“A national cyber-director could have zeroed in and forced the department to close the vulnerability,” he told the Washington Post.
“Ultimately, cybersecurity does need government and national levels of leadership”
Whilst the actual position may be a challenging one for the current or potential future President to deal with – remember, Donald Trump initially removed the position in 2018 when Rob Joyce left the White House to return to the NSA – it may become a reality with bipartisan support behind the bill.
Those from the industry that Infosecurity connected with about the plans were also positive. Brandon Hoffman, CISO, head of security strategy at Netenrich, called it “a reassuring step to see Democrats and Republicans come together on such an important issue.”
He added: “There definitely needs to be somebody leading the strategy at a national level across all facets of cybersecurity. Directing policy on internal government systems is a first step, but how wider policy impacts the lives and privacy of citizens is where there is another glaring hole today.”
However, he admitted that the role will come with various challenges, including getting the branches of government and its departments and teams to fall in line under a single point of policy creation. “Consider all the work done by different branches of the government to create policy and perform the technical work needed for enforcement – it will be a tremendous amount of work and expense to make significant technical changes due to new overarching policy should the authority extend that far,” he said.
“On the other hand, the cyber-czar does need the authority to make unilateral decisions for the country, especially in times where the fragmentation of our cyber-strategy has caused some of our biggest downfalls.” So getting a united front behind a US national cybersecurity czar would be one of the main challenges.
Likewise, Bob Stevens, vice-president for Americas at Lookout, explained that, as more organizations and agencies transition towards sustained, full-time teleworking, “we need a federal cybersecurity director to help safeguard our national interests and citizens from cyber-threats.”
As well as securing a global workforce now mostly working remotely, Stevens pointed out that the upcoming US election is taking place “while most people are required to work from home” and so that is another reason why we’ll see more emphasis on cybersecurity as elected officials focus their attention towards November.
Ultimately, cybersecurity does need government and national levels of leadership, and if this bill is passed in the US with cross-party backing, it will go some way to providing a voice for the industry at a national level.