TRENDING:

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Lawmakers Want Federal Cybersecurity Leaders' Roles Clarified

Clearer Lines of Demarcation Needed, House Members Say Dan Gunderman (dangun127) • August 12, 2021    
Lawmakers Want Federal Cybersecurity Leaders' Roles Clarified
Lawmakers have asked National Cyber Director Chris Inglis to outline federal cybersecurity responsibilities.

In a letter sent to National Cyber Director Chris Inglis this week, a bipartisan group of lawmakers says clearer lines of demarcation are needed to better define the responsibilities of federal officials involved in cybersecurity.

See Also: The 2021 Cybersecurity Executive Order

Members of the House Homeland Security Committee cite a "concern that lingering confusion about the roles and responsibilities [of key cybersecurity officials] will stunt whole-of-government efforts to address cybersecurity challenges facing the nation." In addition to Inglis, who was sworn in last month, those officials include Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, who also took office last month, after the agency had gone without a Senate-approved director since November; and Anne Neuberger, the deputy national security adviser for cyber and emerging technology.

In the letter, Committee Chairman Bennie Thompson, D-Miss.; ranking member John Katko, R-N.Y.; cybersecurity subcommittee Chairwoman Yvette Clarke, D-N.Y.; and ranking member Andrew Garbarino, R-N.Y.; ask Inglis - whose office can hire up to 75 staff members and has funding pending in the latest iteration of the infrastructure bill - to provide the following by Sept. 10:

  • An overview of how the national cyber director's office will complement CISA's statutory roles;
  • A description of the differences in responsibilities between the national cyber director's office, CISA, and the deputy national security adviser for cyber and emerging technology;
  • A plan for how the national cyber director's office will carry out statutory duties to coordinate and consult with the private sector alongside CISA.

'Lack of Clarity'

"We are pleased to see that President Biden has appointed cybersecurity professionals with a wealth of private sector and federal government experience for key cybersecurity positions in his administration," the committee members write.

But they add: "We are concerned that lack of clarity related to roles and responsibilities will frustrate the Congressional intent that drove enactment of a number of provisions … including those establishing the NCD [national cyber director] and empowering CISA. We also hope you can clear up lingering confusion about the roles between the National Security Council and the operational agencies, such as CISA." While the NSC develops and coordinates policy, the lawmakers say, "the directing of operational activities should be left to agencies like CISA."

The bipartisan group of House members points out that the Cyberspace Solarium Commission recommended, and Congress agreed, that the national cyber director should serve as the principal adviser to the president on cybersecurity issues and should lead federal coordination on cybersecurity strategy and policy.

The letter also notes that CISA has been empowered to serve as the government's "cybersecurity hub." It adds: "A strong NCD and empowered CISA were at the core of the commission's recommendations to mature and improve the nation's approach to cybersecurity, and Congress embraced and acted on those recommendations."

The committee members stress that it's "critical" that CISA "has a seat at the table" in coordinating national cybersecurity efforts. "We cannot let interagency turf battles handicap [CISA's] continued - and necessary - maturation."

Colonial Pipeline Attack

The federal response to the Colonial Pipeline ransomware attack this May is cause for concern, the members of Congress write. And they point out that the Department of Energy was named as the lead agency for response to that incident despite not being designated to take a lead role under various guidelines.

"It is our hope that you, as NCD, will provide the needed consistency and coordination to ensure the federal government is following long-established policies and procedures governing federal cybersecurity efforts," they tell Inglis in the letter.

The White House did not immediately respond to a request for comment. A spokesperson for CISA declined to comment on the committee's letter.

CISA Director Jen Easterly speaking at a recent event (Photo: New America via Flickr/CC)

'Who's On First?' Problem

The concerns expressed in the letter point to a long-standing problem in the federal government, says Mike Hamilton, former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council. "This is a 'who's on first?' problem that has bedeviled the federal government, and it continues to be a topic of concern," he says. "Roles and responsibilities need to be clearly delineated. And to date, that's not effectively been done."

Hamilton, who now serves as CISO for CI Security, adds: "Inglis' office is important because it has the ear of the president and can act as an advocate for multiple stakeholders. There are distinct 'swim lanes,' and if they stay distinct, this strategy has potential."

Mark Rasch, a former Department of Justice trial attorney who helped create the agency's Computer Crime Unit, adds: "To say over 100 agencies are responsible in some way for cybersecurity would be an understatement. There are no clear lines of demarcation on who has responsibilities for what. Lawmakers have created certain kinds of silos [for information security], and they exist for a good reason. [But] it's always a good idea to get individuals talking and coordinating with each other."

Rasch, now an attorney in private practice, suggests that after the new cybersecurity officials are settled into their roles, they will likely draft memorandums of understanding to more clearly define their cybersecurity responsibilities - including ultimate authority on coordination, reporting and other action items.

Previous
Cyberspace Solarium Commission Offers Progress Assessment
Next
ISMG Editors’ Panel: Cyberattacks Now Risk Kinetic Response

About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.



Around the Network

Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.