The fiscal $740 billion 2021 National Defense Authorization Act (NDAA), which lawmakers are expected to vote on this week, creates a new national cybersecurity director position within the White House responsible for coordinating federal cybersecurity policies.
Inclusion of the cyber czar role in the defense policy bill maps to the standalone National Cyber Director Act introduced last July by Reps. Jim Langevin (D-RI) and Mike Gallagher (R-WI). That bipartisan legislation called for a lead to function as the president’s principal advisor on cybersecurity and associated emerging technology issues. The person filling the job would be nominated by the president and subject to Senate confirmation.
Langevin told The Hill that verbiage to create the cyber director is part of the conference report that merges the House and Senate versions of the NDAA. President Trump has threatened to veto the measure over his demands to retain the titles of several Army bases named after Confederate generals and his insistence that the bill terminate certain legal protections for social media companies on content. Should the president refuse to sign the bill it would mark the first time in 59 years it has failed to become law. At this point there is no Congressional plan B should the president follow through on his veto threats. Should the bill not win Trump's signature, with it would go the national cybersecurity post.
“This position gives the person who holds this spot, this position, more gravitas than just a staff person,” Langevin told The Hill. “He or she would have sufficient staff. They get their hands around the challenges they face, a whole of government approach to protect the country in cyberspace,” he said. “This is a major step forward.”
Last September, the Government Accountability Office (GAO) warned that without a “clear central leader” to coordinate the disparate U.S. cybersecurity programs of 23 federal agencies, the White House cannot ensure that strategies and plans are effectively executed to support the nation’s cyber defenses. The government watchdog called for Congress to propose a leadership position within the White House to implement a national cyber strategy with authority over budget and resources to support the nation’s cybersecurity critical infrastructure. The GAO found there were insufficient leadership responsibilities outlined in the Trump administration’s 2018 national cyber strategy and the subsequent implementation plan in 2019 to cybersecurity threats.
“It is a position that needs to survive across administrations and not be subject to the whims of a John Bolton,” Langevin reportedly said, referring to the elimination of the cyber director post by former national security advisor John Bolton in 2018.
It’s not clear who President-elect Biden might nominate as the nation’s cyber leader. Langevin is said to have urged Biden to consider nominating Michael Daniel, former special assistant to President Obama and cybersecurity coordinator on the National Security Council, currently helming the Cyber Threat Alliance; Suzanne Spaulding, who headed the agency prior to the Cybersecurity and Infrastructure Security Agency; and Chris Inglis, former deputy director of the National Security Agency.
The idea for the new position springs in part from a large set of recommendations proposed by the Cyberspace Solarium Commission (CSC) last March calling for a new national cyber director to function as the president’s chief cybersecurity advisor. Langevin first introduced legislation creating a White House cyber director position in 2010 based on a recommendation from the report of the Center for Strategic and International Studies Commission on Cybersecurity in the Obama administration.