Biden under growing pressure to nominate cyber czar

President Biden is coming under increasing pressure from lawmakers and other officials to nominate a White House cyber czar as the government starts formulating its response to two major foreign cyberattacks.

More than halfway through his first 100 days in office, Biden has yet to name his pick for national cyber director, a Senate-confirmed position that comes with a 75-member staff.

The absence of a leader to coordinate federal policy on cybersecurity is becoming glaring as the administration works to quickly respond to both the Russian SolarWinds hack and the Microsoft Exchange Server vulnerabilities exploited by Chinese hackers.

“Fill senior positions — there is no substitute for getting people into jobs who develop policy proposals and then implementing those ideas,” said Michael Daniel, a cyber coordinator during the Obama administration who’s now president and CEO of the Cyber Threat Alliance.

“The Administration deserves credit for prioritizing filling cybersecurity positions, but it needs to press forward with filling the remaining positions as expeditiously as possible,” he said.

The cyber czar position, created by the most recent National Defense Authorization Act, would carry even more authority than the White House cyber coordinator role that was eliminated by the Trump administration in a move to cut down on bureaucracy.

That left a gap in the executive branch to lead on cybersecurity, one that has been highlighted by recent security breaches.

The first incident, known as the SolarWinds hack, was discovered in December and involved likely Russian hackers breaching at least nine federal agencies and 100 private sector groups.

More recently, Microsoft announced this month that state-sponsored Chinese hackers were using vulnerabilities in Microsoft Exchange Server to infiltrate and steal data from hundreds of thousands of organizations.

An administration official stressed Friday that Biden saw filling the cyber czar position as “a priority,” noting that the administration is in the midst of a 60-day review of the position and its structure.

“Setting up a new federal entity is complicated — and we’re taking a look at how we can do this in a way that makes the most sense,” the official told The Hill. “This remains a priority. As it has been made clear by our actions, the White House takes cyber threats very seriously.”

The National Defense Authorization Act became law on Jan. 1.

Biden has taken some interim steps. He appointed Anne Neuberger, the former cybersecurity lead at the National Security Agency, to a new role on the National Security Council (NSC) as deputy national security adviser for cyber and emerging technology.

She is now serving as the point person in the executive branch on the SolarWinds incident.

But while Neuberger has been praised on both sides of the aisle, her position is not Senate-confirmed, and she does not have the same authorities designated to a cyber czar.

“It is discouraging that we don’t have a national cyber director, and we are coping with these serious intrusions,” Sen. Angus King (I-Maine) told reporters on a call earlier this month.

He said the delay in nominating someone to fill the role could lead to more security risks.

“It may be that we are losing valuable time … let’s name a national cyber director, send the nomination up here, and in the meantime the White House can work on establishment of the office,” King said.

Concerns over the lack of a central cyber czar have grown in recent weeks, with lawmakers increasingly worried about leadership in the wake of the two breaches.

“We need a head coach, and the head coach has got to be a national cyber director. And I am hopeful we are going to have one up and running soon, because we have a lot of things we need to do,” Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, said Friday at an event hosted by the Wilson Center.

The Senate Homeland Security and Governmental Affairs Committee held a hearing on the SolarWinds breach earlier this month, where top federal officials testified on the breach.

At a Senate Homeland Security and Governmental Affairs Committee hearing on the SolarWinds breach earlier this month, ranking member Sen. Rob Portman (R-Ohio) grilled acting Cybersecurity and Infrastructure Security Agency (CISA) Director Brandon Wales about why the position remains open in the wake of “the most massive attack in the history of our government.”

Wales stressed that the administration needed to take time to evaluate the position in order to ensure it is “additive and strengthening” to existing federal cybersecurity cooperation between CISA and other agencies.

David Kris, former head of the Justice Department’s national security division and founder of Culper Partners consulting firm, told The Hill that Neuberger’s appointment at the NSC might be allowing the administration to take a little more time before filling the cyber czar position.

“The aftermath of Solar Winds brought a renewed focus on the importance of unity of effort in cyber matters,” Kris told The Hill. “With a strong and capable leader, Anne Neuberger, already in place and working such matters at the NSC, perhaps the Biden Administration is taking time to consider how adding another leader, the cyber director, will enhance that unity of effort.” 

King, however, stressed that while he supported the administration reviewing the position, timing was of the essence. 

“If you hear a little frustration in my voice, you are right, because I am frustrated,” King said. “I don’t understand, we can do two things at once around here, and if they put up someone for confirmation, it will take two, four, six weeks. Let’s get it started.”