Proponents say the new position would help balance and deconflict offensive and defensive operations.
House Oversight Committee lawmakers from both parties expressed apprehension that a bipartisan bill proposing to create a national cyber director’s office would lead to fiscal waste and overlapping responsibilities.
Rep. Jim Langevin, D-R.I., introduced the legislation and plans to propose its amendment to the National Defense Authorization Act, which is scheduled for consideration on the House floor next week.
Langevin and fellow members of the Cyberspace Solarium Commission testified before the committee Wednesday on the merits of the proposal, which was a key recommendation of the bipartisan, public-private commission.
They argued the need for a Senate-confirmed individual who would have the president’s ear and be dedicated to coordinating the government’s cybersecurity activities across various departments with “budget certification authority.”
Former National Security Adviser John Bolton eliminated a similar but smaller role, without the authority, from within the executive office of the president.
“In evaluating this legislative proposal, we have a duty to the American people to be a good steward of taxpayer dollars and not create more bureaucracy,” Rep. James Comer, R-Ky., ranking member on the committee, said in an opening statement.
Responding to Comer’s questions, Rep. Mike Gallagher, R-Wis., co-chair of the Solarium Commission and a co-sponsor of the legislation, said the position would come with an office of about 75 full-time employees and cost about $10 million to $15 million.
Gallagher also dismissed concern that establishing the position would constrain a president’s cyber policy decisions by creating budgetary hurdles in relation to how it works with the Office of Management and Budget.
“We are giving the national cyber director budget certification authority, which effectively means he has the ability to look at various executive branch agencies when it comes to cyber elements within their budget and flag for the president something of concern, but the president still retains the ultimate authority to adjudicate that dispute,” if there is one between the national cyber director and OMB, Gallagher said, adding this often occurs between different executive branch agencies.
But Virginia Democrat Rep. Gerald Connolly, chairman of the committee’s subcommittee on government operations, still had questions.
“I want to raise some concerns,” he said. “We have a CIO in the White House, we have a CTO in the White House, we have a chief information security officer in the White House, and we have an Office of Science and Technology adviser. All four of those offices in some measure bear responsibility for IT investments in the federal government, trying to modernize, and to protect in terms of cyber. Will the cyber czar have superseding authority with respect to the kinds of investments that get made? I say all this supportive of the intent of the legislation but worried about its execution, worried about overlap and what could go wrong with coordination.”
Rep. Ro Khana, D-Calif., also asked directly what new authorities a national cyber director would have.
Suzanne Spaulding, commission member and former director of the office that became the Cybersecurity and Infrastructure Security Agency, said it was about increasing visibility and the ability to “deconflict” offensive and defensive cyber operations.
In general, Gallagher said there is a huge disparity between how the government currently allocates resources between pre-empting or conducting cyberattacks against adversaries and defending from them.
“If you look right now at a comparison of people, resources we devote toward offensive operations at the [National Security Agency] and Cyber Command versus what CISA has to do defensive operations, you’ll see a dramatic imbalance in terms of the personnel that we have, thousands of personnel difference,” he said. “So even though we would be adding anywhere from 75 to 100, that would be a small step toward perhaps correcting that imbalance [and] getting the White House better purview into defensive operation.”
NEXT STORY: DISA leans in on zero trust