66 FORTUNE FEBRUARY/MARCH 2021
theft of customers’ personal data. But the U.S. does not
require independent research firms to share their findings
about cyberthreats with government agencies, even if they
constitute a potential national security threat.
In a $170 billion industry in which many companies are
beholden primarily to private-sector clients, this gap in the
law can create troubling incentives. Because their business
models are often based on selling exclusive warnings and
defense strategies to clients, cyberthreat intelligence firms
don’t have a direct financial inducement to share their find-
ings publicly. Charles Carmakal, the FireEye investigator
who led its probe of the SolarWinds attack, notes that pri-
vate firms might hoard information about a novel cyberat-
tack “to use it as a competitive differentiator.”
To be sure, many cybersecurity firms do share their
findings widely, and it’s unlikely that any firm would have
stayed quiet about a threat as dire as SolarWinds. But
executives across the industry cite the lack of uniform ex-
pectations around disclosure as a pitfall that may let some
attacks go unpublicized. Imagine if Boeing, in mid-1941,
had discovered the plan to bomb Pearl Harbor, then taken
time to weigh the costs and benefits of informing the Navy.
Private-sector dominance of software design contrib-
utes to another serious cybersecurity risk that the Solar-
Winds attackers exploited.
The malicious code at the core of the attack was deliv-ON JAN. 1, Congress
passed the $740 billion
National Defense Autho-
rization Act (NDAA) for
2021, overturning a veto by
President Trump. In addi-
tion to approving the Pen-
tagon’s annual budget, the
hefty piece of legislation
contains some profoundly
significant cyber policy ini-
tiatives. Most notably, the
law approves the creation
of a new executive branch
role: the Office of the Na-
tional Cyber Director. This
office, with a staff of up to
75, is set to be the Presi-
dent’s “principal adviser”
and policy coordinator on
all cybersecurity-related
matters.
Of more than two dozen
Solarium Commission rec-
ommendations adopted in
the NDAA, the directorship
may be the most signifi-
cant, says Solarium’s Mont-
gomery. In cyberdefense,
as in many other policy
arenas, a spaghetti-tangle
of agencies have overlap-
ping responsibilities.
The hope is that the
new office can give federal
policy the cohesion it has
lacked. The President
doesn’t have time to drop
in on the Small Business
Administration to check on
its cybersecurity efforts,
or to manage relationships
between municipal water
authorities and the EPA,
Montgomery says. “In the
end, you need someone
who is accountable.”
To be effective, the
cyber director will need to
work in concert with otheragencies. An elevated
“cyber bureau” at the State
Department would be a
key accompaniment: To-
gether, the two could more
persuasively corral allies,
exert influence abroad,
and push for bright, red
“do not cross” lines on the
Internet—like no plunder-
ing of intellectual property,
interfering with elections,
sabotaging public utilities,
or harming civilians.
Michael Daniel, Presi-
dent Obama’s cyber czar
and now head of the indus-
try group Cyber Threat Al-
liance, says the U.S. needs
to be more consistent and
explicit if it is to establish
international rules of the
road in cyberspace. As
for SolarWinds, he says,
America and its allies need
to signal to the perpetra-
tors that “anything that
goes beyond espionage
that we find”—like data
destruction or physical
damage—“we reserve the
right to escalate.”
Of course, the U.S.
conducts espionage too,
Daniel acknowledges. But
there should be no toler-
ance for other nations’
operations that “get too
big, too bold,” he says.
At press time, the
rumored top contender for
director was Jen Easterly,
head of resilience at Mor-
gan Stanley and a former
NSA official who helped
establish the U.S. military’s
Cyber Command. Whom-
ever Biden puts in charge
will set the tone for all that
follows.- RALLYING BEHIND
A NATIONALCYBER DIRECTORCHRIS KREBS, founding director of a key
cybersecurity agency, has been hired by SolarWinds
to address its post-hack mess.ANDREW HARRER—BLOOMBERG VIA GETTY IMAGES