Cyber policy experts also worry we’re going the wrong way on integrating government cyber operations.
How concerned should Americans be about a White House shuffle that removed the cybersecurity coordinator position? Significantly concerned, according to a collection of top cybersecurity policy experts gathered by the Atlantic Council think tank.
White House National Security Adviser John Bolton eliminated the cybersecurity coordinator position soon after taking office in May.
The elimination was greeted with consternation by many cyber analysts who believed the job, which encompasses government cyber protections, international cyber negotiations and broad U.S. cyber policy, was too complex to be subsumed into broader White House operations.
That opinion was shared by a majority of about 25 cybersecurity policy leaders gathered by the Atlantic Council think tank Tuesday. When asked if people should be “significantly concerned” about the loss of the position, more than half of the participants raised their hands.
The meeting was held under the Chatham House Rule, which means reporters and other participants can describe what was said but not who said it.
“I’m really concerned,” one participant said of the position’s elimination, adding “this is the first time I’ve seen us go backward.”
Bolton eliminated the cyber coordinator’s role soon after the then-current coordinator Rob Joyce resigned to return to work at the National Security Agency. Joyce’s resignation followed the resignation of his boss, Homeland Security Adviser Tom Bossert.
President Donald Trump replaced Bossert with Rear Adm. Douglas Fears, a former chief of staff for the U.S. Coast Guard, in June.
The cyber coordinator role was created in the first year of the Obama administration and first filled by government veteran Howard Schmidt. Cyber coordinators have played key roles in responding to major cyber events, including the 2014 Sony hack, the 2015 Office of Personnel Management breach and Russian digital meddling in the 2016 election.
Mixed Reaction to Mandates
There was a mixed response at the meeting to the idea of legislating or regulating some basic cyber protections for industry.
Some participants argued mandatory protection should be considered because free market forces haven’t produced good consumer cybersecurity on their own. Others argued legislation or regulations were bound to be clunky and outdated.
Some said regulations and laws were likely to be watered down to the point of uselessness before they took effect.
There’s “center fatigue” in government, one participant said before rattling off the numerous integration centers and interagency groups meant to handle cybersecurity issues at the agency and government level. “We’re heading the wrong way on cyber integration and Congress is enabling that,” the speaker said.
Offense is the ‘Easy Way Out’
There was concern among some participants that the push in Congress and elsewhere to develop and demonstrate offensive cyber operations as a way of deterring America’s cyber adversaries will backfire.
The concern, broadly, is that the offensive operations will be seen as an “easy way out” and will disincentivize other efforts such as cyber diplomacy or improving the cyber resilience of U.S. companies.