A Proposed Cyber Security Transition Plan for the Next President

This note proposes a six-month plan for the next US President to create a fresh national program of cyber security readiness, protection, and response. I offer this plan four months in advance of the election so that transition teams can benefit from the ideas included.

Before reading my proposal, please recognize that positions, committees, and documents are worthless if they are not used. Trump's existing National Cyber Strategy, for example, has had zero impact on anything meaningful. Americans can do better than this.

Here is a detailed schedule of what I would recommend to the next Administration to get us back on track in protecting our nation from cyber threats:

November 2020

Interim Transition Coordinator for Cyber Security (ITCCS) – The new President-elect should appoint an ITCCS to handle national cyber security policy priorities and to begin reviewing existing cyber security-related programs in the present Administration.

Office of the Director of National Cyber Security (ODNCS) – The ITCCS should present a proposal to the President-Elect for an ODNCS position to replace the Trump-dismantled Cyber Security Coordinator slot pioneered by Howard Schmidt under President Obama.

Budget Planning – The ITCCS should begin to prioritize all department and agency budgets in cyber security with priority for initiatives that enhance defensive posture, support cyber innovation, and train next-generation Americans to protect critical infrastructure.

December 2020

Transition Reviews – The ITCCS should coordinate a recruited team of experts to begin the transition-related meetings and reviews with DHS, NSA, FBI, and related departments and agencies that have cyber security responsibilities in the present Administration.

National CISO Advisory Council (NCAC) – The ITCCS should appoint and convene an NCAC to provide on-going guidance and feedback from actively working CISOs to the Administration on cyber security matters related to enterprise protection.

January 2021

Transition to ODNCS – All cyber security initiatives should be transferred to the ODNCS after the inauguration. The ITCCS should recommend a carefully-prepared short-list of ten candidates (from a target list of 200) to the President for the DNCS position appointment.

Office of International Cyber Security Coordination (OICSC) – The DNCS should create a new OICSC to oversee all cyber-related coordination, negotiation, and planning with international security government contacts including in China and Russia.

Conference on Social Media Platforms – The DNCS and the President should hold a private conference of technology, social media, and security executives to discuss meaningful laws to prevent fraud, abuse, and misuse of social media including Facebook.

Cyber Security Recruiting and Retention – The DNCS and the President should convene a virtual conference of all federal cyber security workers to request their continued service, regardless of personal politics, and to recruit new experts to join the federal government.

February 2021

Presidential Directive on NIST 800-53 – The President should issue a Presidential Directive stating that the NIST Cybersecurity Framework and NIST 800-53 rev 5 shall be the only framework and requirements to be used in federal cyber security compliance work.

Cabinet War Game – The ODNCS should run a cyber war game for Cabinet members. The game should include a worst-case security disaster scenario to highlight gaps in national readiness. Each Cabinet member should provide a follow-up plan after the war game.

White House IT CISO – The President should appoint a full-time CISO to oversee and manage all IT-related cyber security matters for White House staff. This new white House CISO position should be considered peer-level to the White House Director of IT.

NSA and Cyber Command Separation – The President should begin the political and legal process to separate the National Security Agency (NSA) from the US Cyber Command. Effort should be made to retain existing leadership in the new Administration.

Budget Recommendations – The DNCS should provide an initial budget estimate for all federal department and agency budgets in cyber security with emphasis on long-term return on investment (ROI) and protection of critical infrastructure from cyber threats.

March 2021

Presidential Directive on US Cyber Corps – The President should issue a Presidential Directive stating that all Civilian Agencies will increase their Cyber Corps students to 500 per year, per agency. Funding should be obtained through large commercial donations.

National Security Vendor Advisory Council (NSVAC) – The DNCS should appoint and convene an NSVAC to obtain relevant on-going guidance and feedback to the Administration from domestic commercial cyber security technology vendors.

State and Local Liaisons – The DNCS should identify and coordinate with designated state and local cyber security teams to develop, test, and maintain practical plans for nationwide emergency response to potentially serious large-scale cyber security attacks.

April 2021

Presidential Directive on US Federal Agency CISOs – The President should issue a Presidential Directive stating that all Civilian Agencies must present a zero trust-based cloud transition plan for review and approval by the ODNCS.

National Security Academic Advisory Council (NSAAC) – The DNCS should appoint and convene an NSAAC to provide on-going guidance and feedback to the Administration on matters related to secondary cyber security education.