The global malware attack that has crippled hospitals, businesses and foreign government computers is confronting a Trump administration that still hasn’t filled many of the top cybersecurity slots that are critical for handling this kind of crisis.
The dozens of vacant roles with major cyber responsibilities — not all of which are on the front lines in a crisis — include a permanent director for the Department of Homeland Security’s cybersecurity wing, the government’s first-responder for many digital emergencies. The raft of openings creates a risk that the government will be slow to respond to trouble, and that federal agencies and private companies will have trouble finding help when they need it, cybersecurity experts and former officials say.
In an emergency, “they’re the folks you turn to and say, ‘go do this,’” said Chris Cummiskey, a former acting undersecretary and deputy undersecretary at DHS.
“They’ve been able to hold the line this week,” Cummiskey added, crediting the White House for convening emergency meetings late Friday and over the weekend. “But if this goes up the chain and gets much more aggressive … you really don’t want to have those positions vacant.”
In the longer term, the vacancies could hamper the administration’s ability to order policy changes and network patches in response to the first big cyber crisis of Trump’s term.
So far the United States has escaped the havoc that the spreading “ransomware” attack has created in at least 150 countries, including turmoil in British hospitals and the forced shutdown of auto plants in France and Romania. No U.S. banks, power plants or other critical targets have taken hits yet.
And the Trump administration does have a cybersecurity “response group,” created during Barack Obama’s presidency, that met over the weekend to coordinate agencies’ handling of the current emergency. The cyber jobs the White House has filled have also generally gone to respected figures.
But the unknown perpetrators behind the attack are still at large, and some cybersecurity experts expect them to unleash a second round that could be even more effective and devastating.
The slowness to fill cyber-related posts matches a similarly sluggish pace with Trump appointees overall. The administration has also announced little progress from one of its most visible cybersecurity efforts, the tapping of former New York Mayor Rudy Giuliani to head an outside council that would solicit advice from the private sector. (Giuliani’s last visit to D.C. landed in the middle of the uproar over President Donald Trump’s firing of former FBI Director James Comey.)
“While I have great respect for the individuals the president has named to key cybersecurity roles within the White House, the fact of the matter is that far too many positions remain vacant,” Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus, told POLITICO. “Making cybersecurity a priority requires personnel to carry out policies and guide U.S. government response, and I hope the president moves quickly to fill these critical national security vacancies.”
Several vacancies stand out. Within the White House’s Office of Management and Budget, two key government-wide IT officials — the chief information officer and chief information security officer — have not been replaced since their Obama-era appointees left. These positions help coordinate the implementation of high-level digital defense policy across the entire government. And no permanent replacement is in charge of DHS’s cybersecurity arm, the National Protection and Programs Directorate.
Then there are the senior career cyber slots that have naturally gone vacant during the changeover of administrations.
“The senior career ranks in cybersecurity are pretty decimated,” said John Cohen, a former acting undersecretary at DHS.
These roles are now staffed by acting career officials. While these employees are usually exceptionally qualified, “the very fact that they’re acting means they don’t have the same authority,” said Max Stier, CEO of The Partnership for Public Service, which tracks federal jobs.
“They’re the substitute teacher,” he added. “They’re not perceived externally as having the long-term authority, and they’re not going to see the job that way. They know they’re a gap-filler.”
Without the jobs being filled by permanent personnel, “it slows your response capabilities,” added Cummiskey, since the acting agency officials are looking to superiors for guidance.
When responding to a major cyberattack, “It’s a lot about collaborating across government,” Stier said. “That requires relationships. Those relationships are less likely when you don’t have full-time people.”
Being able to make a quick phone call as hackers raid your network is vital, former officials said. That’s especially true for the private sector, which is often the first to see inklings of looming digital ambushes.
Cohen said industry leaders had also expressed frustration to him in general “with the level of communications and information sharing” with the government on cyber threats, while conceding that this is a problem the Trump administration inherited from its predecessor.
Others, like former Senate Homeland Security staffer Christian Beckner, expect that the bigger challenges the cybersecurity leadership gap poses to the Trump administration are longer-term.
“I think key agencies — primarily DHS and FBI — can handle the immediate technical response to this with career staff in place,” said Beckner, now deputy director for George Washington University’s Center for Cyber and Homeland Security.
But down the road, he added, the absence of senior appointees at DHS’ cyber division “could hinder DHS’ ability to develop and implement new policies that may be necessary, engage with Congress on related legislation and manage the public communications aspects of a response to such a major cyberattack.”
Democrats have been quick to pile on in recent weeks, highlighting the issue at hearings and bringing it up again after the Trump administration issued a cybersecurity executive order last week. The order called for reports on the government’s digital protections and directed agencies to adopt specific cyber standards.
Missouri Sen. Claire McCaskill took the administration to task last week for its unfilled cyber positions at agencies including DHS and the Defense, Commerce and Justice departments.
"Today, scores of senior cyber-related positions at agencies throughout the government remain unfilled,” McCaskill said at a hearing of the Homeland Security Committee, where she is the top Democrat. "Right now we’re needlessly fighting with one hand tied behind our backs."
Illinois Rep. Robin Kelly, the top Democrat on the House Oversight Subcommittee on Information Technology, was among several lawmakers who said last week that Trump’s new cybersecurity executive order could be effective only if accompanied by adequate cyber staffing.
Then again, one potential positive consequence of this week’s high-profile outbreak is that it could make Trump realize he needs to move faster to fill job openings, said Steve Weber, faculty director at the University of California in Berkeley’s Center for Long-Term Cybersecurity.
“If this increases the urgency or sense of urgency inside the White House to more aggressively or more boldly,” that’s a silver lining, Weber said. “It’s hard to make policy if you don’t have the positions filled.”
Cory Bennett and Martin Matishak contributed to this report.