Should the National Security Council restore the cybersecurity coordinator role?

Former national security advisor John Bolton’s elimination of the cybersecurity coordinator role in May 2018 came as a surprise to many in the cybersecurity industry, especially security professionals that are tasked with securing federal networks, protecting critical infrastructure and providing cybersecurity governance.

The role was created to help orchestrate and integrate the government’s cyber policies, make sure federal agencies have adequate cybersecurity funding and coordinate responses to major cybersecurity incidents. Many believe that the abolishment of the role is a sign the the U.S. is deprioritizing cybersecurity; despite the importance cybersecurity demonstrates in the effective protection of the integrity of the United States, its infrastructure and its citizens. However, Bolton’s recent departure from the White House has sparked the question of whether the National Security Council should restore the cybersecurity coordinator role.

Given both cybersecurity’s roles in the U.S.’s recent history, such as the Russian’s meddling in the 2016 presidential election, Chinese military hackers’ cyber espionage against several U.S. firms, Chinese spies stealing hacking tools from the NSA as well as data privacy’s role in recent U.S. history with the Cambridge Analytica scandal amid the 2016 presidential election and news of DMVs peddling drivers’ data to thousands of businesses; it is imperative that the role is reinstated. Not only will the cybersecurity coordinator represents the U.S.’s best interest in national defense, but it should serve as an advocate for American citizens’ privacy protections in the White House.

The risk of being attacked is very real, as the World Economic Forum found that cyberattacks represent the fifth most likely to occur global threat. Technology, and therefore cybersecurity risk, is at the heart of what makes the world run. For example, critical infrastructure that enable a modern way of life; financial services for everyday transactions and investments; logistics that facilitate the flow of goods; and technology platforms across all industries all represent massive cybersecurity risks. It would wreak havoc on a national scale if any of these critical services that contribute to the U.S.’s functioning society and economy were to be disrupted, especially if obstructed from a prolonged or exceptionally destructive attack.

An example of the capabilities of nation-state backed threat actors is when the Kremlin demonstrated its prowess by implanting malware in Ukraine’s electric grid in 2015, disrupting power for approximately 225,000 citizens in the middle of winter. Winters in Ukraine can see temperatures far below zero degrees Celsius with strong, frigid winds; and the lack of electricity means the potential lack of heating, lighting, hot or running water, and even life support systems that help keep patients alive.

It may be easy to disregard cyberattacks in other countries, but critical infrastructure in the U.S. is also a target. In fact, Cisco Adaptive Security Appliance’s devices that manage power grid systems in Utah, California and Wyoming were disabled by a DDoS attack — yet there were no blackouts, harm to power generation and minimal effect on the transmission grid.

Even though the damage dealt was minimal compared to Ukraine’s attacks; it’s only a matter of time until the attackers evolve their tactics, techniques and procedures (TTPs) in order to access business-critical applications and wreak havoc. U.S. firms must prepare by making sure their existing security programs are upgraded by continuously validating the efficacy of current security controls, and identifying any gaps in coverage.

The cyber domain is not only a thing that the U.S. needs to think of from a defense perspective, it also represents a new way to conduct warfare. The country is still evolving its doctrinal approach to cyberwarfare, and its apparent today that members of other nations are also doing that. Even though the U.S. recently retaliated against Russia’s disinformation and hacking units around the 2018 midterm elections by attacking the country’s power grid, many believe that America is late to the party — especially since there are reports from the FBI and Department of Homeland Security (DHS) that Russia covertly placed malware into American power plants, oil and gas pipelines.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) warned about a rise in malicious cyber activity directed at American industries and U.S. government agencies by Iranian regime actors and affiliates. The warning comes in the wake of Iran’s increasingly frequent re-use of destructive ‘wiper’ attacks, the same malware that crippled the one of the largest and most valuable businesses on earth for months.

The CISA also warned that these nation state-backed attackers will leverage common attacks such as spear phishing, password spraying and credential stuffing, and that everyone, enterprises and consumers alike, should be aware of the Iranian aggression in cyberspace and make sure that the appropriate defenses are in place. Unfortunately, organizations and government agencies alike lack insight into whether their enterprise’s current security infrastructure is working properly. As a result, they are vulnerable to these common TTPs that are leveraged by threat actors.

As Megan Stifel, the former NSC director of international cyber policy coined amid the discussion of the elimination of the cybersecurity coordinator role, is that removing the role may send a message to other nations, “that the U.S. is taking the gas pedal off of cybersecurity as a key national security issue.”

But with Bolton’s departure, it is time that the U.S. puts the pedal to the metal and reenacts the position on the NSC. Three former Homeland Security secretaries agree that the government needs to prioritize cybersecurity risks as one of the top threats to the U.S, and without a cybersecurity coordinator, it raises the question of whether the U.S. is trying to send a false message that cybersecurity is not important while ramping up both offensive and defensive capabilities under the radar.

Regardless, the cybersecurity coordinator should represent the U.S.’s dedication to cybersecurity, the country’s doctrinal approach to cyberwarfare, and most importantly the importance of cybersecurity in the national security of the U.S. The well-being of the U.S.’s society and economy rely on the country’s ability to defend itself in the cyber domain, and it is time for the U.S. to make its stance on cybersecurity clear to the rest of the world.