The Biden administration is working on an executive order that spells out the responsibilities of myriad top cybersecurity officials in the federal government, National Cyber Director Chris Inglis said Wednesday.
Specifically, the idea would be to solidify the position of his office, only established by law in January, Inglis told the House Homeland Security Committee.
“The statute has gone a long way, and the policies that we have described, have gone a a further distance in describing the what the roles and responsibilities are of the various layers in this space,” Inglis told the panel. “We are in discussion within the White House about when and how to effect an executive order that would bring additional clarity to these roles and responsibilities.”
It would be the second major cybersecurity executive order of the administration, following on May’s sweeping directive for federal agencies and contractors to improve their digital defenses.
The latest executive order — set to arrive in “weeks’ to months’ time,” by Inglis’ estimate — could silence persistent questions about overlapping turfs of Inglis’ office, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency and Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger, among others. The fear in Congress and elsewhere is that organizational ambiguity could muddle response to major cyberattacks and confuse the private sector during an emergency.
A national cyber director “strategic intent statement” sought to put some of those questions to rest in October.
Inglis testified Wednesday that his office planned “more routine and explicit statements of priorities and guidance on a year-to-year basis” to support other agencies. Rep. Jim Langevin, D-R.I. — who served on the congressionally-created Cyberspace Solarium Commission, which upushed for the creation of Inglis’ current role— said that’s precisely the kind of task he had in mind for the national cyber director.
For now, the Office of the National Cyber Director awaits funding from Congress. It has obtained an office suite at the 716 Jackson Place Townhome within the White House complex, but can’t yet acquire a permanent home, hire key staff or make other procurements.
Inglis isn’t alone in awaiting key hires. CISA Director Jen Easterly said at Wednesday’s hearing that it has taken more than 200 days to hire people at her agency. That’s “onerous” compared to the ability of the private sector to bring someone into a job within 60 days, Easterly said, indicating her eagerness to make use of a big revision of how DHS hires cyber personnel set to roll out in December.
Congress can further strengthen CISA, she said, with legislation such as bills requiring reports from critical infrastructure owners about cyber incidents to the agency, providing state and local grants through CISA and codifying CISA authorities like the voluntary CyberSentry program that partners with critical infrastructure operators on spotting threats.
Easterly also said she favored housing a Bureau of Cyber Statistics within CISA. It’s another Solarium recommendation envisioned as collecting information to help form cyber policy, but the commission suggested placing it within the Commerce Department instead.