As the second-ever National Cyber Director, Harry Coker, Jr. continued the rollout of the new National Cyber Strategy and focused on cyber rule harmonization efforts while working in the Biden White House.
Coker previously served in the U.S. Navy before retiring in 2000 as a commander and held a number of senior roles at the CIA, including within its science and technology branch. He joined the NSA in 2017 as its executive director, the electronic spy agency’s third-highest position, and went on to work on the national security staff of Biden’s transition team in 2020.
After leaving ONCD following President Donald Trump’s inauguration, Coker was appointed as Maryland’s Secretary of Commerce.
Coker spoke to Recorded Future News about his time as National Cyber Director, what he considers his biggest successes and what he would tell his replacement — who is currently going through the confirmation process.
Recorded Future News: Looking back on your time as National Cyber Director, what do you consider your biggest wins?
Harry Coker Jr.: Number one, although I was in the Executive Office of the President, I carried out my responsibilities as National Cyber Director in an apolitical manner. That’s so important. It needs to stay apolitical, regardless of who’s in the White House and who controls the Senate. Cyber is too important to this nation and to the world to have it being divvied up by political ideologies.
Number two was implementing more of a collaborative and transparent approach within what’s called the interagency. In the executive branch, they have a multitude of departments and agencies that need to work together and that are required to work together. The Office of the National Cyber Director was tasked with being the President’s principal advisor on cybersecurity strategy and policy.
We wanted to own that mission without being possessive. We want to be held accountable, but we know that we cannot accomplish that mission without collaboration. So what we strove to do was to leverage the core competencies of all of our partners within the interagency and we’re going to leverage core competencies of other departments and agencies. We’re going to ask them to apply resources so they need to trust us.
So building a foundation of trust and respect mutually enhances the collaboration that we do. We were able to make progress on that front and I’m pleased and frankly proud that we were able to do that.
One of the other wins was our relationship with the Office of Personnel Management, OPM. We had an open, collaborative, trustworthy, transparent relationship. We worked together to shine the light and then address the challenges of these unnecessary requirements for four-year degrees in cyber. We all know folks who have a good skill set in cyber that didn’t go or don’t have four-year degrees in cybersecurity.
The prime example for me is right up here at Fort Meade, where we have not just the National Security Agency, not just U.S Cyber Command, but also the Defense Information Systems Agency, DISA and many of those folks do not have four-year or two-year degrees, but most of those folks are very skilled in cybersecurity. We were able to make progress on that with our OPM partners. I consider that a win as we continue to go forward.
Some of these I’m not able to quantify, because the Office of the National Cyber Director is a strategy and policy shop as opposed to an operational shop. And that was one thing that we didn’t make enough progress on. How do we measure the effectiveness of a strategy and policy shop? We don’t have direct links to operational outcomes. We set the foundation for our operational partners to have those mission outcomes. But as a strategy and policy shop, we struggled to define what that is.
But the significant progress on that front was, and this predates me, I can’t take credit for it although I love to, the development of the National Cybersecurity Strategy. That was and remains a significant strategy document that the departments and agencies across the executive branch were following and implementing, and I’m confident they still are.
Putting that strategy in place and then building an implementation plan. Too often, entities will build strategies, and there’ll be nice, very beautiful pamphlets and flowery language, but they’ll sit over here on the shelf and collect dust, and that’s just not what they are meant to be. But the Office of the National Cyber Director had that National Cyber Strategy, but also built an implementation plan that that flowed from it, and that implementation plan had milestones to include deliverables and lead entities and we held each other accountable for those outcomes,
Two other things were internet security, in particular. The internet is decades old and it was not built for security. It was built for communications and convenience. Security, I don’t even know if it was an afterthought, but we have known for decades that there are significant vulnerabilities to the foundation of the internet and we haven’t talked about it enough, nor taken action on it.
Our team did not just sign a spotlight on it, but put forth recommendations that the federal government was following and in the private sector as well. One example is Border Gateway Protocol, BGP, where we have suffered as a nation, with some of our internet traffic having been hijacked by adversaries.
So just addressing some of these decades-old weaknesses. We have known the partial fixes for that for decades, but for some reason, the big “We” did not take action on it, so we pushed that type of thing forward.
We do not have economic prosperity nor national security without cybersecurity. And I love to be disproven on that. The importance of prioritization of cybersecurity. As I evolved, I was able to do more about it in that job, to talk about the convergence of economic prosperity into national security.
I grew up in uniform — 20 years in the Navy, 20 years in the CIA and NSA. I was in uniform. National security is all about that ‘bombs on target’ kinetic stuff. Well, that’s wrong. As technology has evolved, we were able to convey, and I am still conveying, and we need to continue to convey, that economic prosperity and national security go hand-in-glove. National security is imaginary without economic prosperity.
RFN: If you had six more months or maybe a year more in the position, what are some things you would have prioritized? What are things you wish you had more time to work on?
HC: We were working on it as I left, but figuring out the roles and responsibilities for the Office of the National Cyber Director vis-à-vis the National Security Council, the Cybersecurity and Infrastructure Security Agency and the Federal Chief Information Officer. Roles need to be clarified. And I don’t say that because I’m after a power grab, but the roles are not clearly defined, and although we were effective, we were not efficient in getting things done.
In order to do our best to provide the nation with what it deserves, we need to be effective and efficient and clarity of roles and responsibilities, primarily between the Office of the National Cyber Director and the National Security Council, needsd to be addressed.
From what I’ve read in the press, some of that is being taken a look at in the current administration, but it needs to be accomplished.
Another one — the Office of the National Cyber Director was stood up in 2021 and brought in a high percentage of political appointees, some very fine professionals. But as the office stabilized, and as any organization stabilizes, you need to strike the right balance between political appointees and career officials. We were making substantial progress on that front. I would like to have seen it through, and I don’t know what the exact number is. Is it 75% career and 25% political? That might be it.
But in an office as critical as National Cyber Director, I don’t know that you need more than a handful of political appointees. The director, the deputy director, perhaps, although I would have a discussion about having the number two as a political. Chief of staff, maybe general counsel. Other than that, I don’t know. That’s one that I wish we could have made more progress on,
Another one that if we had more time, and I would have needed more than six months on this, it goes back to what I’ve already said about prioritizing cyber, but more specifically, state, local, tribal and territorial entities. The United States is under assault every moment of every day.
The United States is not just the federal government, it’s state, local, tribal and territorial governments as well as our private sector critical infrastructure. This is the first time that the federal government has not taken on the challenge sufficiently of protecting every American resident from nation-state assaults.
Back in that old, outdated definition of national security, the federal government protected all of us. But is the federal government protecting all of us from these nation-state actors in cybersecurity? That’s a rhetorical question. The answer is no, but I fully realize it would take enormous resources to get it right. And when I say resources, I’m not just talking about money.
It would take time as well. It would take expertise to train the folks up. That’s an area that was going to take far longer than six months, but I would like to have made more progress on. And I’m cheering on ONCD and others to make progress on that.
Frankly, I’m cheering on the state, local, tribal and territorial governments to make progress on that, because the federal government cannot ignore the threats that the SLTTs are operating under every moment, and they are not resourced like the federal government is, and frankly, the federal government is challenged by resources as well. But the SLTTs are under constant assault.
That affects us as residents, but it also affects the federal government as a whole. When our citizens around the nation see that whatever adversary country is able to get into a water system, get into a hospital or have access to personally identifiable information. That conveys to the American populace that those nation-state actors are attacking us in cyberspace, and that could reasonably make a resident lose confidence in our nation’s ability to protect all of us and we need to figure it out.
RFN: You spent months working on cyber regulatory harmonization efforts. In the last week, there has been some movement on a cyber harmonization bill and some banks have come out against the controversial SEC rules. In your view, what is the right mix of cyber regulations? Where should this effort end up?
HC: It’s easier for me to say where it should go, as opposed to where it’s going to go. Where we need to end up when it comes to cyber regulatory harmonization is reciprocity. If an entity has to do a certain amount of exercises from a regulatory perspective – these audits, these checks – well, if they do it for agency number one, it should count for number two.
For example, if you look at the financial services industry, they are subject to a handful of independent regulators. They should not have to answer the same or similar questions of each of those handful of regulators all the time. There were, and probably are financial services institutions spending 80% of their time on these audits, these non-stop audits, and we’d like to have the CISOs be more focused on operations, as opposed to regulatory audits.
Compliance is important, but compliance does not equal cybersecurity. An entity should not have to answer the same or similar cybersecurity compliance checks from multiple regulators.
Secondly, we ought to have harmonization. I absolutely believe that compliance challenges, regulations need to be tailorable. But when it comes to cybersecurity, there’s a fundamental set that can go across essentially every critical infrastructure sector. You’ve got to have this, that and that, and then we tailor on top of that. Have a common set of basic foundations, cybersecurity regulations that we all ought to adhere to, and then, depending upon the sector, tailor that.
I’m glad that Senators Peters and Lankford have put their bill forward again, but we have to bring on board the independent regulators and that’s a challenge. I respect and appreciate an entity’s independence. But we also need to understand that in cybersecurity, we need regulatory harmonization but we cannot have it without the independent regulators being on board.
We can get that done while fully respecting their independence, but they all need to recognize that there’s expertise that ought to be leveraged. Who is against these two outcomes: It would lower the cost of doing business, and it would increase national security. That’s what regulatory harmonization is all about.
RFN: Have you met Sean Cairncross, who has been nominated to take over your old job? What advice would you give to the next person who takes over as National Cyber Director?
HC: Well, I would actually give them this interview. Everything I’ve talked about, I guess number one would be prioritization of cybersecurity, then clarify the roles and responsibilities of that office, and then work across the interagency. That’s what I would say to those folks.
