Politics

Is Energy’s decision not to name a political appointee to oversee cyber a mistake?

The proliferation of political appointees across government focused on cybersecurity is both a signal of the threat and a recognition of the level of attention the topic needs.

There are three political appointees at the White House alone. Anne Neuberger is the deputy assistant to the President and deputy national security advisor for Cyber and Emerging Technology on the National Security Council. Chris Inglis is the national cyber director. And finally Chris DeRusha is the…

READ MORE

The proliferation of political appointees across government focused on cybersecurity is both a signal of the threat and a recognition of the level of attention the topic needs.

There are three political appointees at the White House alone. Anne Neuberger is the deputy assistant to the President and deputy national security advisor for Cyber and Emerging Technology on the National Security Council. Chris Inglis is the national cyber director. And finally Chris DeRusha is the federal chief information security officer in the Office of Management and Budget and last November took on an additional role as the deputy national cyber director.

The Cybersecurity and Infrastructure Security Agency in the  Department of Homeland Security is led by Jen Easterly, another political appointee.

The National Security Agency and U.S. Cyber Command are led by not only a general, Lt. Gen. Paul Nakasone, but he also is confirmed by the Senate.

The Commerce Department, the Federal Communications Commission, the Department of Veterans Affairs and many others have similar cyber-focused leadership positions that require presidential appointments and some are Senate confirmed too.

The one missing from this list is the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response (CESER). The Senate is required to confirm the assistant secretary who typically runs the office. But the Biden administration and Energy Secretary Jennifer Granholm have decided not to make the position a political appointee, raising concerns across the spectrum from Capitol Hill to industry executives to former CESER officials.

They call that decision shortsighted and damaging at a time when the energy sector is facing an increased level of threats.

“The problem is I’ve served as both a career and as a political across multiple administration and being a political appointee gives your office a presence by law,” said Sean Plankey, a former director of cyber policy at the White House’s NSC and the former principle deputy at CESER. “You are part of the conversation and subject to Congressional oversight, which helps ensure there isn’t mismanagement, but also ensures you are responsible for results. For the most part, a career official is likely not have that seat at the table to ensure they have resources or in whatever meetings. If you are a career official, you are never going to be in that ‘trusted circle’ of the secretary.”

Plankey, who now is director of cyber missions at DataRobot, other former career CESER officials, as well as other cyber experts say not having a political appointee to lead the office sends a bad message internally and externally to the agency employees and the overall energy sector.

Threats to energy sector on the rise

And that message comes at a time when threats against the energy sector are increasing.

President Joe Biden issued a statement in March urging critical infrastructure providers, many of which are from the energy sector, to “harden your cyber defenses immediately” in light of threats by Russian hackers.

Dragos, a cybersecurity firm, found in its 2021 ICS/OT Year in Review report that of the 18 worldwide threat groups that it tracks, two of the three newest ones focused on industrial control systems (ICS) intrusions with “a focus on access operations and data theft over disruption. This shows that adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes.”

Jeremiah Baumann, the deputy chief of staff of the Office of the Under Secretary for Infrastructure, where CESER resides, said in an interview with Federal News Network that having a career official and not politicizing the office will make it more effective.

“It has been a deliberate decision that this position is too important to leave subject to the whims of shifting politics, and we need to have steady leadership in the job. That’s been the consideration from day one,” he said. “I think in my experience of this administration, at least, is when you’ve got strong skilled leaders who bring the right kind of expertise to the table, I haven’t really seen a huge distinction on who is a political appointee and who’s not a political appointee. The secretary works with both political and career leaders on all sorts of matters. They sit at the same table have an equal voice, and I say the same thing in interagency processes. I think our career leader for the CESER office is among the most respected people in D.C. when it comes to cybersecurity and I don’t think there’s anybody you can’t sit at a table with and hold his own.”

Currently Puesh Kumar is the director of CESER. He’s highly respected for his knowledge and background.

Energy created CESER in 2018 with $96 million from the appropriations bill with a goal of elevating “the department’s focus on energy infrastructure protection and will enable more coordinated preparedness and response to natural and man-made threats.”

Karen Evans was the only politically appointed and Senate confirmed assistant secretary of CESER. She started in September 2018 and lasted about 18 months before leaving in February 2020. Since then, CESER has had either acting or career deputies in charge.

Career not equal to political appointees

Experts say Kumar would be an excellent choice to be the political appointee, but as the career official, he’s at a disadvantage when he walks into a meeting with Easterly, Neuberger, Inglis or with CEOs from top energy companies.

Plankey, who also worked at BP as a global cyber intelligence advisor, saw this happen first hand.

“You try to bring the same level of official to the table. If the CEO of multi-billion dollar organization is sitting down with career official who isn’t at that level, that’s a problem,” he said. “I’m not taking anything away from that career official, but if you are not the designee through political appointment status it’s hard to curry that same level of focus and attention.”

Nick Andersen, the chief operating officer at Invictus International Consulting, a non-resident senior fellow in the Cyber Craft Initiative at the Atlantic Council and a former principal deputy for CESER, called Energy’s rationale for having only a career person at the helm a “little disingenuous.”

“All positions in Energy have senior career deputy to provide continuity. That is part of what we do with transition planning,” he said. “We are not having this debate with any other cyber or critical infrastructure positions across the government. Not at CISA or at FEMA. If you look at where cyber and resiliency mission sits in the Defense Department, they have an appointee who is a deputy assistant secretary and a Senate confirmed assistant secretary for defense for homeland defense and global security. It sends a strong message about internal prioritization of missions. When you are willing to take that level of visibility away from the office, it makes it more difficult to be on level playing field with other departments, which are maintaining level of importance for same mission areas.”

The increase in threats to the energy sector caught the attention of Congress, particularly in the wake of the Russian invasion of Ukraine.

Lawmakers expressing concerns

In March, lawmakers passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of the Consolidated Appropriations Act of 2022.

The legislation establishes mandatory cyber intrusion reporting requirements for critical infrastructure companies, including companies in the energy sector. While Congress gave CISA the role to implement the law, Energy, under existing authority, remains as the sector risk management agency (SRMA) for energy sector cybersecurity.

A recent letter from House and Senate oversight committees, the Committee on Energy and Commerce and the Committee on Energy and Natural Resources, respectively, wrote to Granholm in early April expressing concern about DoE’s role in remaining the cybersecurity lead for the energy sector.

“CESER’s mission and responsibility has grown a lot in the last few years and a lot of it is attributed to work it has done over the last few years,” Andersen said. “It has taken on work at the tactical level by coordinating with the sector or providing cyber threat information with intergovernmental partners. It has expanded the expertise it provides. And CESER is looking at strategic risk to drive one consolidated view of where risk is and how shore it up, especially within the research and development and supply chain areas.”

The letter by Senate and House members to Granholm isn’t the first expressing concerns. In March 2021, 11 Senators wrote to the secretary pressing her to name a political appointee to lead CESER.

“It is imperative that the department does not march backwards on its responsibilities to the energy sector and the protection of our critical infrastructure given the persistent, growing and significant threat cyber attacks pose to our nation’s economy and national security,” the lawmakers wrote.

Some sources say one reason that Energy isn’t making the CESER position a political appointee is there are only a limited number of slots available and Granholm and/or the White House have decided to allocate the positions differently.

Energy’s Baumann and other Energy officials referred to studies that found more than 1,200 political appointees across all agencies and the time it takes to get someone confirmed.

“We actually think that certain things are so critical and so important that they shouldn’t be left so vulnerable as to be sitting around vacant for months at a time just because of whatever political spat of the day means a single senator doesn’t want to confirm someone,” he said. “We think it’s absolutely critical that there be steady leadership, someone who can be in place, regardless of the politics to work on things like emergency response and cybersecurity. We don’t think it would be good to have situations like the Texas grid going down or the Colonial Pipeline getting hacked, and there’ll be no leadership in place because of politics.”

Funding, resources easier to come by

Mark Montgomery, the former executive director of the U.S. Cyberspace Solarium Commission and now a senior fellow at the Foundation for Defense of Democracies, pushed back against that rationale, too.

He said when you have an assistant secretary that is politically appointed ad Senate confirmed, the organization does better with funding and other resource allocations, which, he said, is management 101.

“If you value something, and think it’s important for your mission, then you assign an increasingly senior person to manage that issue. DOE over last several years has made a lot of good decisions. They have worked well with Congress on the infrastructure act and got significant cyber resources. As it gets more responsibilities and more grant programs to manage, that lends itself to more senior and accountable leadership.”

Montgomery added it’s also easier to hold the office accountable when there is a political appointee at the helm. Typically, administrations aren’t keen on letting career officials testify before Congress so a political appointee is preferred both from an accountability perspective as well as operational one.

“Over at the White House or on Capitol Hill, it helps to be a presidential appointee to argue for your agency’s or the President’s priorities, and it’s the same on Capitol Hill,” he said. “And if you’re working with the private sector, they understand where the lines of responsibility are. CEOs are more comfortable with an assistant secretary than a deputy assistant secretary. We should want this person meeting with CEOs to be in the ‘C suite’ because this is a C suite issue and is a C suite engagement.”



Leave a Reply

Your email address will not be published.

Back to top button