One of the best-known episodes in the sitcom “Everybody Loves Raymond” concerns timeliness. Times for departure were specified as AIS, or A** In Seat, meaning that at the appointed time, you had to be seated in the car, or it left without you. You didn’t end up where you wanted, and you didn’t have a say in further decisions.
The Trump Administration has made some good cyber security decisions so far (I’m not addressing Russia here, and that’s not what this blog is about). The Cybersecurity Executive Order while long delayed, identified a good approach (risk management with accountability) and some excellent strategies, including modernizing federal IT to move to shared services and the cloud, and using greater transparency to incent more investment in cyber security by publicly-traded companies. Also, the appointments that have been made include smart people with strong experience, including Rob Joyce in the White House and Kirstjen Nielsen and Chris Krebs at DHS.
But the senior cyber security DHS chain-of-command is empty. Ok, that’s not fair, because every post is filled in an acting capacity. These are seasoned, capable career people. If an incident like WannaCry comes up, they are more than capable of responding to it, and sometimes may be able to act more quickly if they don’t have to explain and get approval from a political appointee. They are not, however, the people who will make the ultimate decisions in six months or with the political capital to sway senior leaders in other departments. Missing senior leaders means fewer cycles devoted to strategy, more uncertainty about the long term, and less influence both in the department and across the government.
At DHS, right now there is no Under Secretary for the office – the National Protection and Programs Directorate (NPPD) – with DHS’ dedicated cyber mission team (other offices, including the US Secret Service and Immigration and Customs Enforcement have cyber capabilities as well). There is no Deputy Under Secretary for cyber at NPPD – a position most recently held by Phyllis Schneck at the end of the prior Administration. And there is no Assistant Secretary for Cyber Security and Communications (CS&C), the person who manages components like US-CERT and the NCCIC day to day.
So, when is the “AIS” for these appointees? The current Administration is behind. At the start of the prior Administration, I was announced as Deputy Under Secretary at NPPD on March 11; that’s over three months earlier in 2009 than today in 2017. In 2009, the Senate held a hearing for the Under Secretary of NPPD on June 2, and the name of the Assistant Secretary for CS&C was announced the same day. It’s already late June, and we don’t have announcements or statements of intention to appoint or nominate.
My understanding is that no one is standing idly by, and the appointments for these positions are in progress. To be sure, there is a lot or work that goes into an appointment, especially for positions like these that require a high-level security clearance. Time is nevertheless of the essence. For example, Congress is currently considering a bill that would reorganize NPPD into an operational component of DHS, which would have significant implications for both cyber security and infrastructure protection. Having an NPPD Under Secretary would certainly be helpful in that discussion. More broadly, cyber security risk goes up every day.
I don’t want to throw anyone under the bus. I can tell you that having served at DHS myself, I’m quite familiar with the bus as seen from the bottom. But it is important that the White House prioritize naming these appointments, so that DHS can be fully effective in its cyber security mission.