When the president’s Commission on Enhancing National Cybersecurity meets next week in Washington, at the top of the agenda will be a question leaders have often debated — how to empower policymakers to actually shift the ponderous levers of authority in a new administration.
Lyndon Johnson had an “anti-poverty czar,” Bill Clinton made Gen. Barry McCaffery his “drug czar,” and George W. Bush pulled elements of 22 U.S. departments and agencies together into the Department of Homeland Security.
All were efforts to centralize policymaking and concentrate power in the hands of a man or woman with a mission — in the current case, securing computer networks vital to the federal government’s operation, as well as protecting industry from hackers, spies and foreign enemies.
“The key messages the commission is hearing are around how do you create authoritative positions in the White House around cyber security and how do you define what makes that position authoritative,” said Kristen Todt, the commission’s executive director in a recent interview with FedScoop.
“One piece that feeds into that is obviously budgetary authority: Does that mean … empowering with greater authority those positions in [the Office of Management and Budget] — [Federal CIO] Tony Scott’s position and [the new federal Chief Information Security Officer Gregory Touhill.]
“We have these positions in place, how do we make them more powerful and more authoritative?” she asked.
“What we all know about government is: you have to have the authority and you have to have the budget to back up that [policy]. The [policy] enforcement mechanism is not there for cybersecurity,” she added.
“The president needs to tell his cabinet that this is important,” agreed retired Coast Guard Commandant Adm. Thad Allen, now executive vice president at Booz Allen. He spoke at the Billington Cybersecurity summit Tuesday.
That is an alternative approach, which Todt summed up like this: “The position doesn’t need to change, but the new president [needs to] put a new level of prioritization on how the process works.”
That’s an issue that Todt has some experience with: she once worked for McCaffrey, the first ever drug czar, in what was more properly called the Office of National Drug Control Policy.
Elements of power
Todt said it was becoming clear to the commission that three key elements of power in Washington, “responsibility, accountability and capability” were poorly aligned in cybersecurity policymaking.
“Agencies are looking for authority, but they don’t want the responsibility, and when you ask them where’s the capability, they don’t know how to answer the question,” she said.
The commission has already been briefed by key federal stakeholders. Those briefings, alongside evidence the commission will gather in public testimony next week, will help them gain “understanding [of] how those [three] elements are syncing together in agencies and how we’re currently organized for cybersecurity,” Todt said.
She added the commission was trying to determine, “Who is really in charge? What are the roles and responsibilities and do those roles and responsibilities have the appropriate authority and budget authority?”
A long-term commission
The commission was established as part of President Barack Obama’s Cybersecurity National Action Plan, or CNAP, in February. With 12 members, the commission is headed by a chairman, former national security adviser Tom Donilon, and a deputy, former IBM CEO Sam Palmisano. It has six full-time staffers and a budget of $5.5 million.
Its remit is to make “detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of government, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security,” according to a White House fact sheet.
It’s scheduled to make recommendations on Dec. 1, early enough that its proposals can form part of the transition planning for the incoming administration.
Timing and transition
Todt says the timing is crucial. Government veterans understand how quickly a new administration can lose momentum on key issues or be blown off course altogether by unexpected events.
“We have an opportunity because of this transition, to really raise the visibility, make this a priority for the new president,” she said, adding that “the current president would certainly say it is a priority [for him] and it absolutely is.”
“But,” she continued, “coming in with a new president and a clean slate, you have the opportunity to say, cybersecurity is a priority from day one and these are the activities and expectations I have of you as a cabinet secretary, as a government leader.”
She said the appointment of new cabinet secretaries and agency heads will give the incoming administration the chance to impose on them “a very specific set of requirements … to be very clear and transparent about what is expected. To say, ‘we expect you to have these elements in place for your infrastructure we’re looking for this type of reporting and accountability.'”
“I think this is one of the things the commission is looking at,” she said of that new level of specificity.
The ghosts of czars present and past
Reflecting on her experience working for the very first ONDCP, Todt said McCaffrey was “for that position, unique in how successful he was.”
Part of the reason, she explained, was a unique set of powers.
“One of the key elements that he brought [to the post was] he had budget authority over certain parts of the Department of Defense budget. So he could actually pull budget from them on certain issues, and that made his voice, while not a big agency, pretty strong at some critical points.”
Like the cybersecurity issue, drug policy was one where a wide variety of stakeholders were coming at the process with very different equities, and very different strategic approaches, she said.
“Drug policy cut across lot of different agencies … cybersecurity is a part of every agency and so looking at the leadership is needed so that agencies truly feel accountable for their cybersecurity.”
Asked directly if more power should be given to the cyber czar to further centralize the cybersecurity policy making process, Todt replied, “That’s what we’re trying to figure out right now.”