National Cyber Director Harry Coker looks back (and ahead) on the Cyber Director office
Days after the four-year anniversary of the creation of the Office of the National Cyber Director and days before its current chief is set to depart, that man, Harry Coker Jr., looked both backward and forward at the office in a speech Tuesday and a separate interview with CyberScoop.
Coker touched on software liability, regulations, the authorities of his office, federal agency cybersecurity, the cyber workforce and the biggest cyber weakness insufficiently addressed right now.
His speech at the Foundation for Defense of Democracies laid out Office of the National Cyber Director (ONCD) achievements, both during his tenure and that of his predecessors, from leading the writing of a national cybersecurity strategy and implementing it to addressing memory-safe coding language to encouraging agencies to improve secure internet routing.
But the office still has more informal authority than formal powers, Coker told CyberScoop, which is something the next administration could examine.
“I think that as we grow, as we have grown, we are able to take on more responsibilities,” he said of his 80-plus staff. “We currently do not have a role in the national security policy process.”
The office works with agencies like the National Security Council, and does so gladly, but it lacks the authority to convene on its own, he said. “There are some times when ONCD ought to be able to go — not go it alone — but initiate and lead through that process. That changes depending upon what a president wants to do… and that is one area that I think should be improved upon.”
Another area where the Trump administration could make headway is on cyber regulation harmonization. He said he was disappointed Congress didn’t get legislation into law giving ONCD a stronger role in de-conflicting various federal cyber rules.
“What that will do is decrease the cost of doing business and increase cybersecurity,” something that ought to be bipartisan, Coker said. “You’ve got to get past the sound bites and make that happen. I think it’s just, some folks are opposed to regulation and put ‘regulation’ in the title that’s going to raise the hackles of some individuals.”
Coker also said a symposium the office hosted with the legal research community should soon provide options for the new administration to address software liability, following consultations with the private sector.
There could be significant turnover in his office since around half of the positions are political appointments, and Coker said the operating presumption is that most of them will depart. However he’s not aware of any plans from nonpolitical employees to depart as a result of the change in administration.
An executive order last week on the order of ONCD succession raised a kerfuffle with some Trump allies, although Coker said it was innocent. Most organizations have succession plans, he said, but he could understand why the timing would appear suspicious to those who were.
Going forward, one of the biggest gaps in cybersecurity is protecting state, local, tribal and territorial governments, Coker said.
“I am very concerned with our national deficit, so I’m not going to say we need more money” to address security for those entities, he said. “I’m saying there’s enough money being spent in the federal government, but we need to figure out how to prioritize cybersecurity. So do they need more resources? Yes, that is talent, that is software capability, and yes, that requires money. There are so many holes that it is going to have to be a yearslong effort, and it’s going to have to be some level of shared services.”
Prioritizing spending on cybersecurity within the federal government will require an evolution, too, he said. He noted that the ONCD and the Office of Management and Budget have given budget guidance, but needs to consider “budget direction” instead.
“I’ll make it analogous to voluntary requirements versus regulation” in the private sector, Coker said. “We’ve gone past the point of asking departments and agencies to sufficiently fund cybersecurity. It’s not getting it done.”
Overall, he said, “there just aren’t enough resources in cybersecurity.”
His office, if it wants to lead, has to practice what it preaches; Coker has pushed for the elimination of degree requirements for cyber jobs, and while the ONCD doesn’t have many outside contracts, it’s made sure to eliminate them for those, he said.
As he departs, Coker said one of the fun parts of the job has been taking on challenges and trying to develop solutions, or as he said it: “getting beaten up with friends and colleagues trying to do the right thing.”
