Health-ISAC Hacking Healthcare 7-12-2023
This week, Hacking Healthcare™ takes a look at the position of the National Cyber Director within the United States government. We examine what the position is, why it’s a big deal that President Biden has not nominated anyone to officially fill the position for roughly five months, and what impact the delay may have on the healthcare sector.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
Text Version:
Pressure Mounts to Nominate a National Cyber Director
Among the more significant recent changes to the way the United States government deals with cyber issues has been the establishment of a National Cyber Director to advise the president, help coordinate government entities, and lead implementation of cyber initiatives. Despite its importance, the role has been filled in an acting capacity for many months, and members of the public and private sectors are growing increasingly concerned at what the negative consequences of such a delay may be.[i], [ii] Let’s dive into the issue and examine how this may be affecting critical infrastructure sectors like healthcare.
For those not as familiar with the role of the National Cyber Director and how it relates to healthcare, let’s quickly recap some history.
Established in 2021, the position of National Cyber Director was partially the result of recommendations from the Cyberspace Solarium Commission. This eclectic bipartisan mix of experts and lawmakers published a 2020 report that included dozens of recommendations to improve the United States’ approach to cybersecurity issues.[iii] One of these recommendations advocated the creation of a new position within the Executive Office of the President that would serve as “the President’s principal advisor for cybersecurity and associated emerging technology issues; the lead for national-level coordination for cyber strategy, policy, and defensive cyber operations; and the chief U.S. representative and spokesperson on cybersecurity issues.”[iv]
A version of the Cyberspace Solarium Commission’s recommendation was taken up by Congress, and a Senate-confirmed role was established as part of the National Defense Authorization Act for fiscal year 2021.[v] The new law broadly included the responsibilities outlined by the Cyberspace Solarium Commission and left room for its role to be expanded where necessary.
It is important to note that the position of National Cyber Director was not meant to be simply a standalone advisor. While the law itself did not specifically allocate funding for what would become the Office of the National Cyber Director, the expectation was that the National Cyber director would stand up an office of around 75 personnel. Appropriate funding was eventually secured through the Infrastructure Investment and Jobs Act and the Office of the National Cyber Director has been staffing up since then. The inclusion of an office to back the Director generally reflects the acknowledged urgency and importance of cybersecurity at high levels of the federal government.
Chris Inglis served as the first National Cyber Director from July 2021 until stepping down in February 2023. Since then, roughly five months, President Biden has not nominated anyone to officially take over the role, and the position has been held in an acting capacity by Kemba Walden. Given the added time it will take to get a Senate confirmation, President Biden’s decision not to nominate an individual means the position is all but certain to go over half a year without being officially filled. Individuals in both the public and private sectors have begun to voice their concerns that failing to remedy this soon may negatively impact the position’s legitimacy, effectiveness, and leadership at a critical moment.
Action & Analysis
**Included with Health-ISAC Membership**
Congress
Tuesday, July 11
No relevant hearings
Wednesday, July 12
No relevant meetings
Thursday, July 13
No relevant meetings
International Hearings/Meetings
No relevant meetings
[i] https://www.gao.gov/products/gao-23-106826
[ii] https://www.centerforcybersecuritypolicy.org/insights-and-research/industry-groups-urge-white-house-to-nominate-new-national-cyber-director
[iii] https://www.solarium.gov/report
[iv] https://www.solarium.gov/report
[v] https://www.govinfo.gov/content/pkg/PLAW-116publ283/pdf/PLAW-116publ283.pdf
[vi] https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/2023/may/cs2023_0103.pdf
[vii] https://www.king.senate.gov/imo/media/doc/051123lettertopotusonncd.pdf
[viii] https://www.whitehouse.gov/wp-content/uploads/National-Cybersecurity-Strategy-2023.pdf
[ix] https://www.gao.gov/products/gao-23-106826
[x] https://www.govinfo.gov/content/pkg/PLAW-116publ283/pdf/PLAW-116publ283.pdf
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why