Last week’s resignation of the White House homeland security adviser surprised the cybersecurity community, but sources inside and outside of government said the departure of Tom Bossert should have little impact on key policy initiatives that are reaching a critical stage.
Sources said that’s a reflection of a general consensus around cyber policy needs in areas like deterrence. On the flip side, some sources said Bossert’s removal reflects chaos at the White House that makes it difficult to craft and implement the coherent national cyber policy that lawmakers and others have been demanding.
Robert Joyce, the White House cybersecurity coordinator, has been tapped to replace Bossert as homeland security adviser, at least on a temporary basis.
That gesture toward continuity was appreciated in industry circles, particularly with two key cybersecurity policy documents awaiting final White House approval.
Officials have been racing to finalize by May 11 — the one-year anniversary of President Trump’s cybersecurity executive order — reports on cyber deterrence and on combating “botnet” attacks. Those occur when hackers hijack thousands or even millions of computers and use them to overwhelm the defenses of banks, hospitals, or other targets.
“It’s a good sign that Joyce is taking over; it means we don’t have to start all over on the reports,” said one former high-ranking government cyber official, now in the private sector. The reports, now in draft form and undergoing final revisions, are expected to give the departments of State, Homeland Security, Commerce, and others their marching orders on the botnet fight and international deterrence policy.
“But [the departure] is surprising — Bossert was a hawk on cyber issues,” the former official said, noting that Bossert’s approach should have fit in with the worldview of both President Trump and new national security adviser John Bolton.
This source and others said Bossert’s departure does feed into uncertainty about both the White House’s policy aims and how the administration intends to engage with the private sector on cyber.
However, one well-placed industry source said Bossert rarely if ever engaged with industry groups even though the Trump White House, like the Obama White House before it, has emphasized that government-industry partnerships are the bedrock of good cybersecurity.
On the upcoming reports, a senior Department of Homeland Security official said the botnet draft is undergoing final revisions, with an emphasis on recommendations for protecting critical infrastructure from attacks.
Industry sources said last week they felt comfortable the White House wasn’t going to recommend regulations to guard against botnets and that this was unlikely to change under the new national security team.
On deterrence, everyone — industry, government, Republicans, and Democrats — seems to agree on the need for spelling out a plan, but what it will actually mean remains subject to interpretation.
A senior State Department official said the executive order-mandated deterrence report is at the White House awaiting final approval.
And, this source said, “Deterrence is happening now. Look at the sanctions we’ve announced, and targeting Russian oligarchs.” But many people, including lawmakers, “seem to be looking at the wrong thing, they want offensive cyber action” against bad actors.
That, the source said, is just one aspect of a deterrence policy.
Robert Strayer, the State Department’s deputy assistant secretary for cybersecurity, said at a U.S. Chamber of Commerce event last week that “this administration is acting,” and “we have started calling out bad actors.”
