The Trump administration has previously stated that cyber is a top priority, vowing to “take every measure to safeguard our national security secrets and systems” given that “[c]yberwarfare is an emerging battlefield.” As such, the administration “will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command, and recruit the best and brightest Americans to serve in this crucial area.”
At the six-month mark, however, key executive positions in the cyber field have yet to be filled. Some political appointees or those in acting roles have departed since early on in the administration, forcing more civil servants lower in the chain to step into top roles.
[Trump’s cyber policy: Filling executive branch posts]
Many, including the president himself, have noted how serious the Trump administration is on cyber issues.
“I’ve met with the president twice on cybersecurity,” former NSA Director Keith Alexander said during an appearance hosted by the Aspen Institute July 20. ”In these meetings, what I’ve found, is … he [the president] had read all the stuff on what we were going to talk about, he knew all the key issues, he knew who the key people were in the room, he asked great questions and he got to the bottom line; what do I need to do, what help do you need and how do we do this.”
To be sure, many positions have been filled, especially at the very top, but several agencies either have acting heads leading critical cyber positions or no one at all (see info boxes for agency leadership status).
According to some experts and those who formerly served within the government, on the whole it’s best to have political appointees in top posts, but overall, civil servants with resident expertise serving in these posts is sufficient for the time being.
However, in a development that appears to have rocked part of the Washington establishment, the State Department’s top cyber diplomat is leaving his post. Additional media reports indicate the State Department might be consolidating his office — called the Coordinator for Cyber Issues — into another office at the department.
The White House has outlined a similar approach to cybersecurity and deterrence as the previous administration — colloquially referred to as whole-of-government and involving a wide range of diplomacy, indictments and offensive measures. However, on the diplomacy and norms front, they have expressed a simpler approach involving smaller discussions and bilateral deals in line with President Trump’s apparent preference for forging international deals.
[Trump’s cyber deterrence is a lot like Obama’s]
Efforts aimed at establishing international norms in cyberspace — and holding those nations that violate such agreed upon norms accountable — “may not be achievable through a U.N. effort,” Thomas Bossert, the White House chief adviser on homeland security, counterterrorism and cybersecurity matters, said during a keynote presentation in Israel in June.
This effort — officially known as the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, or more simply the UN Group of Governmental Experts (GGE) — sought to establish norms in cyberspace between nations.
“Just last week, we saw the limits of the U.N. Group of Governmental Experts, which had achieved some good results in the past, but came up short. They were unable to even reach consensus on their final report,” Bossert said. “It’s time to consider other approaches. We will also work with smaller groups of like-minded partners to call out bad behavior and impose costs on our adversaries. We will also pursue bilateral agreements when needed.”
This approach, according to Megan Stifel, formerly with the National Security Division at the Department of Justice and director for international cyber policy in the National Security Council, is not much of a shift as building a coalition of like-minded nations has been a top U.S. goal for a number of years. It may be a change in the execution but not a change of policy, she told Fifth Domain.
“America is particularly vulnerable right now to losing this momentum and surrendering global [cyber] leadership to China and Russia,” Jason Healey, a senior research scholar at Columbia University and senior fellow at the Atlantic Council, wrote recently regarding the moves at State. “It is entirely possible in 10 years the internet will no longer look and feel American — lightly monitored, with no central control and few borders. It is far more likely to have an autocratic feel.”
Healey also noted that the White House is the only government organ that is properly staffed, while cabinet departments are “incredibly understaffed, with no nominations for the deputy under secretary for cyber and communication issues at the Department of Homeland Security, nor any of the assistant or deputy assistant secretaries.”
Stifel, who is now a nonresident senior fellow at the Atlantic Council, said policy options could be limited if top slots at government agencies aren’t filled with representation at interagency meetings. With an “all tools approach” to issues like cyber, if the coordination in the agencies is not strong, that can limit policy options, she said.
Michael Sulmeyer, who formerly served as director for plans and operations for cyber policy in the Office of the Secretary of Defense, agreed that there is a bit of a disjoint between what the White House says in terms of priorities and life on the ground, but he noted that from a DoD perspective, lack of political appointees is not the end of the world.
Currently, on the defense side, DoD is still without a CIO, who is in charge of the department’s IT posture and policy, as well as the deputy assistant secretary of defense for cyber policy.
Sulmeyer, who now directs the Harvard Belfer Center’s Cyber Security Project, told Fifth Domain that he feels comfortable with those currently filling top cyber roles at DoD, noting many have good expertise. Additionally, the “ramp up” period for political appointees to not only navigate the subject matter, but what the department and military is doing can be a steep learning curve.
One area Sulmeyer highlighted on the DoD side is that of civil-military relations. While more of a long-term and not an immediate issue, not having civilians in place runs the risk of having too many in uniform drive policy, which runs contrary to the current system of civilian control of the military.
Kenneth Rapuano was recently confirmed as the assistant secretary of defense for homeland defense and global security, a critical DoD position that also statutorily makes him the principle cyber advisor to the Secretary of Defense. Until that point Maj. Gen. Burke E. “Ed” Wilson serves as the deputy principal cyber advisor to the Secretary of Defense and senior military adviser for cyber was serving in that role.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.