Legislation to establish a permanent, Senate-confirmed presidential cyber security adviser with authority to review federal cyber budgets, and coordinate and develop the national cyber security strategy was introduced in the House on Thursday by a bipartisan group of members.
The National Cyber Director Act (H.R. 7331) is based on one of the key recommendations from a bipartisan commission report in March calling for creation of a National Cyber Director (NCD) to serve within the executive branch as the president's principal adviser on cyber security and related emerging technology issues to provide "sound advice and timely options" as cyber security threats grow.
The administrations of George W. Bush and Barack Obama had White House cyber security advisers, as did President Trump for the first year of his presidency but the positions were neither permanent nor Senate-confirmed and they didn't have authority to review department cyber security budgets or coordinate national incident response. These authorities are included in the new legislation.
"The coronavirus has elevated the importance of cyber infrastructure and demonstrated how incredibly disruptive a major cyberattack could be," Rep. Mike Gallagher (R-Wis.), co-chair of the Cyberspace Solarium Commission and one of the sponsors of the new bill, said in a statement. "But while we are woefully unprepared for a cyber calamity, there is still time to right the ship. As the Cyberspace Solarium Commission recommends, a critical first step in doing so is through the creation of a National Cyber Director who would not only coordinate a whole-of-nation response to an attack, but work to prevent it in the first place."
The legislation would also create two deputy positions under the NCD, one for Strategy, Capabilities, and Budget and the other for Plans and Operations.
The 12-page bill lays out a number of duties for the NCD, including serving as the president's principal adviser on cyber security strategy and policy, consulting with departments and developing the national cyber strategy, supervising implementation of the strategy, recommending organizational, personnel and resources and policies of departments, reviewing department's annual budget proposals, reporting to the president and Congress on the nation's cyber security posture, leading joint interagency planning for national response to cyberattacks, supporting integration of defense and offensive cyber plans and capabilities, exercising these plans, and working with the private sector on cyber security and emerging technology issues. The NCD would also attend meetings of the National Security and Homeland Security Councils.
The NCD position would require oversight by the Senate Armed Services Committee (SASC) and the Homeland Security and Governmental Affairs Committee. The SASC, in its recent markup of the fiscal year 2021 National Defense Authorization Act, calls for an independent assessment on the need creating the NCD position.
Other sponsors of the NCD Act include Reps. Jim Langevin (D-R.I.), a member of the Cyberspace Solarium Commission, Carolyn Maloney (D-N.Y.), chairwoman of the Oversight and Reform Committee, John Katko (R-N.Y.), ranking member on the House Homeland Security Cybersecurity Subcommittee, Dutch Ruppersberger (D-Md.), former ranking member of the House Intelligence Committee, and Will Hurd (R-Texas), ranking member of the House Intelligence Subcommittee on Intelligence Modernization and Readiness.
The bill is expected to be primarily referred to Maloney's committee.
Michael Daniel, former cybersecurity coordinator for President Obama and currently the president and CEO of the Cyber Threat Alliance, said in a statement about the cyber security issue that "Since it crosses so many departmental jurisdictions, siloes, and missions, no single department or agency is or can be ‘in charge.' Yet, the need for greater coordination, focus, and clarity on cyber security within the U.S. government is clear. So, while I am normally skeptical about creating new positions as a solution to policy problems, establishing a National Cyber Director within the Executive Office of the President is the right approach for this situation."