May 292018

Amid Growing Threats, White House Dismantles Top Cybersecurity Post

Cameron F. Kerry, Christopher Fonzone, Michael R. Roberts and Laura Sorice
, ,

On May 15, 2018, various media outlets reported that the Trump administration decided to eliminate the position of White House Cybersecurity Coordinator. According to reports, John Bolton, appointed as National Security Adviser effective April 2018, had been instrumental in the decision that the position was no longer necessary based on the reasoning that the role was already addressed by other members of President Trump’s national security staff. The administration’s decision was met with sharp criticism, including from Democrats in Congress such as U.S. Senator Mark R. Warner (D-VA) who called the move “mindboggling” and cybersecurity expert Bruce Schneier, who called it “a spectacularly bad idea.”

The position was established nine years ago to provide presidential engagement and Executive Branch coordination on cybersecurity.  Then President Obama noted, “[n]o single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge.” In response, the Cybersecurity Coordinator would provide central coordination for cybersecurity strategy across various federal agencies and help “collaborate with industry to find technology solutions that ensure our security and promote prosperity.” To ensure a broad policy perspective, the Cybersecurity Coordinator was assigned to both the National Security Staff and the National Economic Council. Howard Schmidt served as the first Cybersecurity Coordinator until 2012, succeeded by J. Michael Daniel who held the position through the end of the Obama administration.

The Trump administration initially maintained the position and President Trump appointed his own Coordinator, Rob Joyce, reporting to Homeland Security Adviser Tom Bossert.   Joyce and Bossert brought over 40 years of combined experience in national security to the White House’s cyber team. Joyce came from the National Security Agency, where he has worked since 1989, while Bossert served as the Deputy Homeland Security Adviser to President George W. Bush in the last year of his administration and subsequently was a fellow at the Atlantic Council’s Cybersecurity Initiative. During their tenure at the White House, Joyce and Bossert together were responsible for managing the government’s response to cyber threats, including the WannaCry ransomware attack.

Joyce announced his resignation from the post in early April to return to the NSA. Compounding the impact of Joyce’s departure, Bossert resigned on April 10, following the announcement of Bolton’s appointment as National Security Adviser.  Then word came out that the position would be eliminated altogether.

The elimination of the Coordinator role occurs during at a critical time when the federal government works to counter what Daniel R. Coats, Director of National Intelligence, assesses as cyber threats from “both nation states and malign actors [that have] become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.” To address these threats, both the Obama and Trump administrations have taken a multi-faceted approach that involves numerous federal agencies and partnership with the private sector.  In 2016, the Commission on Enhancing National Cybersecurity issued its Report on Securing and Growing the Digital Economy that called for reinforcing this approach.

The Trump administration has appeared to continue in this direction.  The May 11, 2017 Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” declared that “the policy of the United States to manage cybersecurity risk as an executive branch enterprise,” reaffirmed the voluntary consensus standards of the National Institute of Standards Technology Cybersecurity Framework as a central element of federal policy, and assigned several inter-agency tasks.  On May 15, 2018, the same day that the position of White House Cybersecurity Coordinator was eliminated, the Department of Homeland Security (DHS) published a Cybersecurity Strategy. In her statement accompanying the publication of the Strategy, Homeland Security Secretary Kirstjen M. Nielsen stated that DHS is “rethinking its approach by adopting a more comprehensive cybersecurity strategy” because “it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.”

The departures of Joyce and Bossert from the White House put a spotlight on John Bolton’s views about cybersecurity. Prior to his appointment in the Trump administration, Bolton authored a February 19, 2018 opinion editorial that provided a glimpse of his focus. In the op-ed, Bolton stressed the need “to prevent future Russian attacks or attacks by others who threaten our interest” and advocated creating “structures of deterrence in cyberspace.” Specifically, Bolton argued that the U.S. could create “structures of deterrence” by “engag[ing] in a retaliatory cyber campaign against Russia” – an effort that, according to Bolton, “should not be proportional to what we have just experienced,” but rather “should be decidedly disproportionate.” Bolton concluded that nations that engage in cyberattacks against the U.S. should understand that “the costs to them… will be so high that they will simply consign all their cyberwarfare plans to their computer memories to gather electronic dust.”

Consistent with his background in arms control and military affairs, this op-ed reflects a focus on the national security aspects of cybersecurity.  It remains to be seen whether and how these views may affect the Administration’s policies and staffing.  On the policy side, figuring out how to create a “structure of deterrence in cyberspace” is a challenging task, given, among other things, the unsettled law and norms governing cyber behavior, the difficulty of attribution, the asymmetric nature of cyber operations, the need to balance multiple U.S. equities in doing so, and the risks of uncontrolled escalation.  On the staffing side, NSC officials noted that the elimination of the Cybersecurity Coordinator position is designed to remove bureaucracy and enable more nimble action – a goal seemingly consistent with the aggressive tone of Bolton’s op-ed, but it is unclear whether the change suggests that other NSC officials will play a more prominent role in coordinating policy in this area, that agencies will be granted more independent authority and/or asked to do more coordination, or some combination of the two.  For the elimination of the Cybersecurity Coordinator position, by itself, will likely not resolve – and could even exacerbate – the reported tensions about cyber policy even among national security agencies.  Moreover, Bolton’s perspective on the economic aspects of cybersecurity remains an important open question, and it thus remains to be seen how that perspective is incorporated into any policy and staffing changes.

One of the tasks assigned in the Trump May 2017 Executive Order on cybersecurity was a report to the president on international cybersecurity coordination, due to be completed last September. At the time of their exit from the White House, Joyce and Bossert were waiting on release of this report.  When and if that report ever comes out, it may indicate the direction this White House will take to address the continued management and coordination of U.S. cybersecurity efforts and shape a strategy to defend the nation’s information systems and infrastructure.

Cameron F. Kerry

ckerry@sidley.com

Christopher Fonzone

cfonzone@sidley.com

Michael R. Roberts

mroberts@sidley.com

Laura Sorice

lsorice@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.