Lawmakers Want Federal Cybersecurity Leaders' Roles ClarifiedClearer Lines of Demarcation Needed, House Members Say
In a letter sent to National Cyber Director Chris Inglis this week, a bipartisan group of lawmakers says clearer lines of demarcation are needed to better define the responsibilities of federal officials involved in cybersecurity.
Members of the House Homeland Security Committee cite a "concern that lingering confusion about the roles and responsibilities [of key cybersecurity officials] will stunt whole-of-government efforts to address cybersecurity challenges facing the nation." In addition to Inglis, who was sworn in last month, those officials include Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, who also took office last month, after the agency had gone without a Senate-approved director since November; and Anne Neuberger, the deputy national security adviser for cyber and emerging technology.
In the letter, Committee Chairman Bennie Thompson, D-Miss.; ranking member John Katko, R-N.Y.; cybersecurity subcommittee Chairwoman Yvette Clarke, D-N.Y.; and ranking member Andrew Garbarino, R-N.Y.; ask Inglis - whose office can hire up to 75 staff members and has funding pending in the latest iteration of the infrastructure bill - to provide the following by Sept. 10:
- An overview of how the national cyber director's office will complement CISA's statutory roles;
- A description of the differences in responsibilities between the national cyber director's office, CISA, and the deputy national security adviser for cyber and emerging technology;
- A plan for how the national cyber director's office will carry out statutory duties to coordinate and consult with the private sector alongside CISA.
'Lack of Clarity'
"We are pleased to see that President Biden has appointed cybersecurity professionals with a wealth of private sector and federal government experience for key cybersecurity positions in his administration," the committee members write.
But they add: "We are concerned that lack of clarity related to roles and responsibilities will frustrate the Congressional intent that drove enactment of a number of provisions … including those establishing the NCD [national cyber director] and empowering CISA. We also hope you can clear up lingering confusion about the roles between the National Security Council and the operational agencies, such as CISA." While the NSC develops and coordinates policy, the lawmakers say, "the directing of operational activities should be left to agencies like CISA."
The bipartisan group of House members points out that the Cyberspace Solarium Commission recommended, and Congress agreed, that the national cyber director should serve as the principal adviser to the president on cybersecurity issues and should lead federal coordination on cybersecurity strategy and policy.
The letter also notes that CISA has been empowered to serve as the government's "cybersecurity hub." It adds: "A strong NCD and empowered CISA were at the core of the commission's recommendations to mature and improve the nation's approach to cybersecurity, and Congress embraced and acted on those recommendations."
The committee members stress that it's "critical" that CISA "has a seat at the table" in coordinating national cybersecurity efforts. "We cannot let interagency turf battles handicap [CISA's] continued - and necessary - maturation."
Colonial Pipeline Attack
The federal response to the Colonial Pipeline ransomware attack this May is cause for concern, the members of Congress write. And they point out that the Department of Energy was named as the lead agency for response to that incident despite not being designated to take a lead role under various guidelines.
"It is our hope that you, as NCD, will provide the needed consistency and coordination to ensure the federal government is following long-established policies and procedures governing federal cybersecurity efforts," they tell Inglis in the letter.
The White House did not immediately respond to a request for comment. A spokesperson for CISA declined to comment on the committee's letter.
'Who's On First?' Problem
The concerns expressed in the letter point to a long-standing problem in the federal government, says Mike Hamilton, former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council. "This is a 'who's on first?' problem that has bedeviled the federal government, and it continues to be a topic of concern," he says. "Roles and responsibilities need to be clearly delineated. And to date, that's not effectively been done."
Hamilton, who now serves as CISO for CI Security, adds: "Inglis' office is important because it has the ear of the president and can act as an advocate for multiple stakeholders. There are distinct 'swim lanes,' and if they stay distinct, this strategy has potential."
Mark Rasch, a former Department of Justice trial attorney who helped create the agency's Computer Crime Unit, adds: "To say over 100 agencies are responsible in some way for cybersecurity would be an understatement. There are no clear lines of demarcation on who has responsibilities for what. Lawmakers have created certain kinds of silos [for information security], and they exist for a good reason. [But] it's always a good idea to get individuals talking and coordinating with each other."
Rasch, now an attorney in private practice, suggests that after the new cybersecurity officials are settled into their roles, they will likely draft memorandums of understanding to more clearly define their cybersecurity responsibilities - including ultimate authority on coordination, reporting and other action items.