Staff changes upend White House cyber team

The White House cybersecurity team is undergoing a major shuffle that former officials say could jeopardize the administration’s efforts to develop cyber policy and punish hackers for disruptive attacks.

President Trump’s cybersecurity coordinator, Rob Joyce, revealed this week that he would vacate his post and return to the National Security Agency (NSA), ending a 14-month stint at the White House.

{mosads}News of his planned departure came less than a week after the resignation of homeland security adviser Tom Bossert. The two men had become the face of the White House’s cybersecurity efforts, providing a line of communication between lawmakers and private industry to the West Wing.

The shakeup has created a new challenge for the Trump administration at a time when cyber threats abound.

“Certainly, there’s no question that between Bossert’s departure and Rob’s departure that it’s going to slow down policy development work and cause disruption,” said Michael Daniel, who served as cybersecurity coordinator under the Obama administration.

The changes give new national security adviser John Bolton the opportunity to remake the National Security Council (NSC) to his liking, raising questions about who he will choose to fill the positions and whether he will restructure the roles.

Bossert, a former homeland security official under the George W. Bush administration, started his most recent homeland security position in the White House when Trump took office.

Though he presided over a broad portfolio as homeland security adviser, Bossert chose to make cyber a priority. He is widely credited with crafting the administration’s May 2017 cybersecurity executive order, which grew out of his engagement with private industry and Congress.

In March 2017, Bossert announced he would bring Joyce, the leader of an elite NSA hacking group, to the NSC.

Over the course of a year, both officials fostered relationships with private sector cyber companies. They also worked with foreign governments to publicly attribute cyberattacks.

Bossert, for instance, stepped out onto the White House podium last December to blame North Korea for the global WannaCry malware attack.

Bossert abruptly announced his resignation on April 10, which reportedly came at Bolton’s request. A week later, the White House confirmed that Joyce had chosen to return to the spy agency rather than continue his post at the NSC. 

While Joyce’s exit isn’t unusual, given that he’s detailed from the NSA, the resignation caps a short tenure at the White House in a position that officials historically held for several years.  

It is unclear when a successor will be named to either position. Joyce, who has taken over for Bossert in the interim, plans to remain on “as needed to provide continuity and facilitate the transition with his replacement,” said White House press secretary Sarah Huckabee Sanders.

Still, news of their departures has sowed uncertainty and concern among private sector representatives who have grown accustomed to dealing with both officials.  

“Both Tom and Rob leaving is a significant problem for private sector engagement on cybersecurity issues,” said one lobbyist who works in the cybersecurity space.

“As companies worry about cyberattacks right now, people are asking, ‘Who should I call?’ ” the source said. “Since this administration started, the first call has often been to one of those two.”

Lawmakers are not sounding the alarm just yet. Rep. John Ratcliffe (R-Texas), who chairs the House Homeland Security subcommittee on cybersecurity, described himself as a “big fan” of Bossert and Joyce, pointing to their “significant” role working with Congress to reauthorize Section 702 of the Foreign Intelligence Surveillance Act.

“But I also say this all the time … you can replace great people with other great people,” Ratcliffe said.

There is broad agreement among former officials that it will be difficult to find suitable replacements, especially for Joyce, given his wealth of experience at NSA.

“I think it’s a pretty significant challenge that they will now have to overcome. Rob has been in this space and has tremendous expertise on all aspects of it,” said Megan Stifel, a former director for international cyber policy at the NSC. “There are very few people with the combination of his expertise and personality.”

Michael Sulmeyer, a former Pentagon cyber policy official, observed that the transition would be easier if the administration taps an official for the role who is already working in the intelligence community, the Homeland Security Department or the FBI.

“If it’s a total outsider, it’s going to take some time to get that person up to speed on what the progress has been,” Sulmeyer said.

But while the moves could complicate the White House’s cyber efforts in the short term, they also create an opportunity for individual agencies like the Department of Homeland Security to step up and take the lead. Last year, Trump tapped Kirstjen Nielsen to helm Homeland Security; she has signaled repeatedly that cybersecurity will be a priority.

News of the staffing changes coincided with the start of the RSA conference in San Francisco this week, a premier cyber event to which past administrations have traditionally dispatched top officials to meet with industry figures.

Nielsen delivered keynote remarks there on Tuesday, warning foreign nations and cyber criminals that the United States will draw from a “spectrum of response options both seen and unseen” to punish and deter future aggression.

The cybersecurity executive order Trump signed last May also triggered action at the agency level on cybersecurity, and by all accounts agencies are moving forward with those efforts. Nielsen said Tuesday that Homeland Security plans to soon release its cyber strategy to address systemic risks to U.S. critical services and other issues.

Still, former officials say that Bolton, who has no apparent expertise in cybersecurity, will need to pick replacements for both Bossert and Joyce with similar levels of experience in order for the White House to continue to move the ball forward.

“We’re certainly not in the position now given all the threats we are facing, particularly nation states, to have any gap or uncertainty,” said Chris Painter, who served as the State Department’s cyber diplomat under President Obama and during the early months of the Trump administration.

Olivia Beavers contributed.