May 292018

Amid Growing Threats, White House Dismantles Top Cybersecurity Post

Cameron F. Kerry, Christopher Fonzone, Michael R. Roberts and Laura Sorice
, ,

On May 15, 2018, various media outlets reported that the Trump administration decided to eliminate the position of White House Cybersecurity Coordinator. According to reports, John Bolton, appointed as National Security Adviser effective April 2018, had been instrumental in the decision that the position was no longer necessary based on the reasoning that the role was already addressed by other members of President Trump’s national security staff. The administration’s decision was met with sharp criticism, including from Democrats in Congress such as U.S. Senator Mark R. Warner (D-VA) who called the move “mindboggling” and cybersecurity expert Bruce Schneier, who called it “a spectacularly bad idea.”

The position was established nine years ago to provide presidential engagement and Executive Branch coordination on cybersecurity.  Then President Obama noted, “[n]o single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge.” In response, the Cybersecurity Coordinator would provide central coordination for cybersecurity strategy across various federal agencies and help “collaborate with industry to find technology solutions that ensure our security and promote prosperity.” To ensure a broad policy perspective, the Cybersecurity Coordinator was assigned to both the National Security Staff and the National Economic Council. Howard Schmidt served as the first Cybersecurity Coordinator until 2012, succeeded by J. Michael Daniel who held the position through the end of the Obama administration.

The Trump administration initially maintained the position and President Trump appointed his own Coordinator, Rob Joyce, reporting to Homeland Security Adviser Tom Bossert.   Joyce and Bossert brought over 40 years of combined experience in national security to the White House’s cyber team. Joyce came from the National Security Agency, where he has worked since 1989, while Bossert served as the Deputy Homeland Security Adviser to President George W. Bush in the last year of his administration and subsequently was a fellow at the Atlantic Council’s Cybersecurity Initiative. During their tenure at the White House, Joyce and Bossert together were responsible for managing the government’s response to cyber threats, including the WannaCry ransomware attack.

Joyce announced his resignation from the post in early April to return to the NSA. Compounding the impact of Joyce’s departure, Bossert resigned on April 10, following the announcement of Bolton’s appointment as National Security Adviser.  Then word came out that the position would be eliminated altogether.

The elimination of the Coordinator role occurs during at a critical time when the federal government works to counter what Daniel R. Coats, Director of National Intelligence, assesses as cyber threats from “both nation states and malign actors [that have] become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.” To address these threats, both the Obama and Trump administrations have taken a multi-faceted approach that involves numerous federal agencies and partnership with the private sector.  In 2016, the Commission on Enhancing National Cybersecurity issued its Report on Securing and Growing the Digital Economy that called for reinforcing this approach.

The Trump administration has appeared to continue in this direction.  The May 11, 2017 Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” declared that “the policy of the United States to manage cybersecurity risk as an executive branch enterprise,” reaffirmed the voluntary consensus standards of the National Institute of Standards Technology Cybersecurity Framework as a central element of federal policy, and assigned several inter-agency tasks.  On May 15, 2018, the same day that the position of White House Cybersecurity Coordinator was eliminated, the Department of Homeland Security (DHS) published a Cybersecurity Strategy. In her statement accompanying the publication of the Strategy, Homeland Security Secretary Kirstjen M. Nielsen stated that DHS is “rethinking its approach by adopting a more comprehensive cybersecurity strategy” because “it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.”

The departures of Joyce and Bossert from the White House put a spotlight on John Bolton’s views about cybersecurity. Prior to his appointment in the Trump administration, Bolton authored a February 19, 2018 opinion editorial that provided a glimpse of his focus. In the op-ed, Bolton stressed the need “to prevent future Russian attacks or attacks by others who threaten our interest” and advocated creating “structures of deterrence in cyberspace.” Specifically, Bolton argued that the U.S. could create “structures of deterrence” by “engag[ing] in a retaliatory cyber campaign against Russia” – an effort that, according to Bolton, “should not be proportional to what we have just experienced,” but rather “should be decidedly disproportionate.” Bolton concluded that nations that engage in cyberattacks against the U.S. should understand that “the costs to them… will be so high that they will simply consign all their cyberwarfare plans to their computer memories to gather electronic dust.”

Consistent with his background in arms control and military affairs, this op-ed reflects a focus on the national security aspects of cybersecurity.  It remains to be seen whether and how these views may affect the Administration’s policies and staffing.  On the policy side, figuring out how to create a “structure of deterrence in cyberspace” is a challenging task, given, among other things, the unsettled law and norms governing cyber behavior, the difficulty of attribution, the asymmetric nature of cyber operations, the need to balance multiple U.S. equities in doing so, and the risks of uncontrolled escalation.  On the staffing side, NSC officials noted that the elimination of the Cybersecurity Coordinator position is designed to remove bureaucracy and enable more nimble action – a goal seemingly consistent with the aggressive tone of Bolton’s op-ed, but it is unclear whether the change suggests that other NSC officials will play a more prominent role in coordinating policy in this area, that agencies will be granted more independent authority and/or asked to do more coordination, or some combination of the two.  For the elimination of the Cybersecurity Coordinator position, by itself, will likely not resolve – and could even exacerbate – the reported tensions about cyber policy even among national security agencies.  Moreover, Bolton’s perspective on the economic aspects of cybersecurity remains an important open question, and it thus remains to be seen how that perspective is incorporated into any policy and staffing changes.

One of the tasks assigned in the Trump May 2017 Executive Order on cybersecurity was a report to the president on international cybersecurity coordination, due to be completed last September. At the time of their exit from the White House, Joyce and Bossert were waiting on release of this report.  When and if that report ever comes out, it may indicate the direction this White House will take to address the continued management and coordination of U.S. cybersecurity efforts and shape a strategy to defend the nation’s information systems and infrastructure.

Cameron F. Kerry

ckerry@sidley.com

Christopher Fonzone

cfonzone@sidley.com

Michael R. Roberts

mroberts@sidley.com

Laura Sorice

lsorice@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).