Two different Senate committees are holding confirmation hearings this week for the nominee to lead the Office of Management and Budget, a subtle nod to jurisdictional issues that Congress and the Trump administration will face in writing cybersecurity policy this year.
Rep. Mick Mulvaney, R-S.C., President Trump’s pick for OMB director, appears Tuesday at separate sessions by the Senate Budget Committee and the Homeland Security and Governmental Affairs Committee.
Cybersecurity won’t be the first issue raised in those sessions, but it is sure to come up as OMB has statutory authority to help secure federal computer networks.
There may be some urgency around the questioning, as Trump’s moves and comments related to cyber during the transition left a pile of question marks on Capitol Hill and among industry stakeholders.
The budget and homeland security committees are fitting places to get started, because OMB and the Department of Homeland Security, and their congressional overseers, sometimes find themselves in a tug-of-war over which agency has primary authority over the security of those federal networks.
In the Senate, the homeland security panel has jurisdiction over both OMB and DHS, but in the House, the Homeland Security Committee and the Oversight and Government Reform panel often dueled over which panel was top dog on cyber.
A recent memorandum of understanding signed by eight House committee chairmen, spearheaded by Homeland Security Chairman Michael McCaul, R-Texas, could help put the jurisdictional struggle to rest by specifying that McCaul’s panel has the lead on upcoming DHS reauthorization legislation.
The MOU applies specifically to reauthorization but also sets a precedent that may apply to future cyber legislation.
McCaul will test that proposition soon with a bill to reorganize certain DHS functions into a cybersecurity agency, which was blocked last year amid opposition from the House Oversight and Energy and Commerce committees.
“We still need to meet with the DHS cyber team before solidifying a path forward, but it is going to be our top priority out of the gate,” a committee spokesman told InsideCybersecurity.com.
In the executive branch, meanwhile, tension between OMB and DHS was papered over during most of the Obama years.
The new president’s approach may tear the wrapping off those arrangements and reignite the debate over who’s in charge of cyber policy in the executive branch.
Trump’s management style is based on delegation and accountability. His first instinct on cyber appears to involve delegating responsibilities to the Defense Department, White House cyber adviser Tom Bossert, and to private-sector “leaders” to be organized by former New York City Mayor Rudolph Giuliani, who will continue to run his namesake firm as an informal adviser to the president.
The new administration is launching a 90-day review of the federal government’s cybersecurity posture, but leadership of that process is unclear, as are the roles foreseen for DHS, OMB and DoD.
The business people Giuliani is organizing are supposed to contribute to the review. And Bossert will have a role from the White House. Some industry observers said incoming Director of National Intelligence Dan Coats and CIA Director Mike Pompeo will play leading roles.
“We have had several industry calls and there is almost no info on the 90-day review or on Giuliani,” an industry source said. Other industry sources at the forefront of cyber policy development over the past five or six years agreed that the upcoming policy direction remains a mystery.
For now, it’s wise to keep an eye on who is directing the 90-day review, which will probably produce plenty of recommendations and also, perhaps, a new top dog on cybersecurity.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
