Top Republicans on a House oversight panel on Wednesday voiced concerns whether a proposal to establish a Senate-confirmed cyber director and related staff within the executive branch only add bureaucracy and value to the nation's attempts to strengthen its cyber security posture.
The proposal for a National Cyber Director (NCD), a key tenet of the bipartisan Cyberspace Solarium Commission, would create a central coordinating authority within the government for cyber security issues, authorize the director to make budget recommendations on department and agency cyber security budgets, and review each department's and agency's annual cyber security budget proposals for consistency with the National Cyber Strategy.
"The main questions I have toward this goal are, is it necessary to create another federal office to have someone truly ‘in charge,' and, if so, will that official in fact have the authority to make the decisions that need to be made?" Rep. James Comer (R-Ky.), ranking member on the House Oversight and Reform Committee, said during a hearing to consider legislation that would create the NCD. "Will everyone else fall in line and work in harmony? We know that multiple federal agencies have a piece of the cyber security pie, so by authorizing a new oversight and coordinating official, are we legitimately creating a system that will be more prepared to face growing cyber threats?"
Rep. Glen Grothman (R-Wis.), the ranking member on the committee's National Security panel, said, "I wonder whether we might too quickly create yet another new bureaucracy by not carefully considering potential downsides to this reform."
He also said the Trump administration has been making progress on strengthening the nation's cyber security, citing success in protecting the 2018 mid-term elections and asked if creation of the NCD would be a "disservice" to agencies that are already effectively coordinating on cyber security?
Grothman said he would keep an "open mind" regarding the proposal and Comer also suggested he is in the review process regarding the position.
Rep. Mike Gallagher (R-Wis.), one of the commission's co-chairs and a supporter of the recommendation for the NCD, said the new office would have about 75 staff, up from about the 15 currently that work cyber security issues for the White House. He also estimated the annual budget at between $10 million and $15 million for the NCD's office.
Asked by Comer if the NCD's budget-related authorities would create "budgetary hurdles" in working with the White House Office of Management and Budget that could constrain the president's cyber policy decisions, Gallagher replied that he doesn't think so, highlighting that the director would certify departments' cyber budgets and "flag" any concerns for the president. The "ultimate authority" remains with the president, he said.
The administrations of former president's George W. Bush and Barack Obama both had cyber security coordinators within the White House but these positions were not statutory and filling them didn't require Senate approval. Under one of President Trump's former National Security Advisers, John Bolton, the cyber security position was eliminated.
Former Congressman Mike Rogers, a Republican from Michigan who also chaired the House Intelligence Committee, testified during the virtual hearing that at one time he would have opposed creation of the NCD and accompanying office but now supports it based on his work in the private sector with small cyber security startups and in his studies of public policy with the Center for the Study of the Presidency & Congress.
The bill creating the NCD, H.R. 7331, "doesn't expand government, which I'm really concerned about, it focuses government," Rogers said. "If we need anything now in the cyberspace, we need focus on what our government is doing and does it have the right resources."
Rep. Jim Langevin (D-R.I.), one of the commissioners on the Solarium Commission who also introduced the NCD bill along with several other Democrats and Republicans, testified that the NCD would help ensure that cyber security is a priority across the federal government, pointing out that for most departments and agencies it's not "part of their mission nor is it their primary focus."
Langevin also said the NCD would be a stronger leader within the White House for coordinating cyber strategy and breaking down stovepipes across government, and would also coordinate incident response.
Jamil Jaffer, executive director of the National Security Institute at George Mason Univ. who worked for Rogers on the Intelligence Committee and in the Bush White House, said Congress should consider alternatives to the Solarium Commission's proposal for a statutory NCD. He said he's skeptical of the large staff the position would include, noting it would be one-third the size of the National Security Council, and the need for it to be Senate-confirmed.
Jaffer supports having a strategic leader at the White House for cyber security but suggested alternatives, including creating a position that isn't Senate-confirmed with a smaller office with five to 15 staff, that would work through the National Security Adviser on the "full range of issues in this space to ensure that we have unity of effort." He added that given all the federal agencies with key cyber security responsibilities more "aggressive" and "better" coordination from the White House is "necessary."