Energy Cyber Role Unfilled Over Power Struggle as Hacks Increase

A showdown is brewing between Congress and the Biden administration over whether a political appointee or a nonpartisan civil servant should lead the Energy Department’s cybersecurity office, a role that’s become critically important given the increased frequency of cyberattacks on energy infrastructure.

The Energy Department wants the role to be filled by a career employee and the administration has declined to nominate anyone for it. Lawmakers from both parties are so determined to force the White House’s hand that they’ve introduced legislation in both chambers to codify the position as an assistant secretary subject to Senate confirmation. The House passed its bill in July.

The leader of the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response is the only Senate-confirmed cybersecurity position lacking a nominee, according to data from the nonprofit Partnership for Public Service, which tracks political appointees. The position is being filled by an acting assistant secretary despite an increase in cyber breaches and ransomware attacks, including on the Colonial Pipeline Co., which resulted in nearly half of the East coast’s fuel supply shutting down in May.

“Given the fact that data breaches and cyberattacks are only growing in size and scope, it would be a serious mistake to downgrade leadership of CESER from an assistant secretary role at this critical moment,” Sen. Jim Risch (R-Idaho) told Bloomberg Government.

Sen. Angus King (I-Maine), co-chair of the Cyberspace Solarium Commission tasked with developing cybersecurity policy recommendations, similarly said the CESER role “should be a political appointee with Senate confirmation, I think that would elevate it.”

The White House declined to comment on the record about naming a potential CESER nominee.

The CESER vacancy isn’t an anomaly in the Biden administration’s approach to filling jobs. The White House has only named about 360 nominees of the approximately 1,200 Senate-confirmed positions in the administration, and the Senate has confirmed about 100 of those nominees, according data provided by the Partnership for Public Service. It took nearly six months to fill the two other Senate-confirmed cyber roles—the director of the Cybersecurity and Infrastructure Security Agency and the national cyber director.

The distinction in the CESER job is that it’s one of a number of positions for which the administration has deliberately declined to nominate anyone. The office was created by the Trump administration in 2018 and was led by a Senate-confirmed assistant secretary from September 2018 through February 2020. However, it has lacked a politically appointed leader for the past 18 months, nearly half the time since its establishment.

“This is an emergency operation, sort of akin to a emergency response entity that is non-political, it is not partisan,” Energy Secretary Jennifer Granholm told the Senate Energy and National Resources Committee in June.

She expanded on her push for a non-partisan CESER leader in response to a bipartisan letter sent by King, Risch, Sen. Joe Manchin (D-W.Va.) and others. Granholm said emergency preparedness and management “is best handled by a stable, professional set of employees who have developed relationships with industry partners and do not have to go through a learning curve when crises happen.”

Government watchdog groups attested to the benefits of continuity that career-level employees provide in leadership roles.

“I think Secretary Granholm is showing real wisdom in supporting a notion that she’s better served with career leadership that she can have in place today and that will actually be around for a long period of time, as opposed to the very challenging marathon that is involved in trying to put a political leader in place who won’t be around that long,” said Max Stier, president and CEO of the Partnership for Public Service.

The average tenure of a political appointee is just two years, Stier said. “The criticality of consistent, continuous leadership is something that is undervalued in these jobs. Having continuous career leadership is incredibly powerful for improved performance.”

Liz Hempowicz, director of public policy at the nonprofit Project on Government Oversight, said, “If you’re looking for continuity across administrations, if there’s not a strong political bent to the position, I think it makes a lot of sense to say this is better suited to a career employee.”

Lawmakers feel differently.

Efforts to Legislate

The House passed its bipartisan bill (H.R. 3119) on July 19, amending the Energy Organization Act to establish the new assistant secretary role overseeing energy security issues, including energy infrastructure; emerging threats; supply; and emergency planning, coordination, response and restoration.

House Passes Cyber Bills to Protect Energy Infrastructure

“By codifying the assistant secretary for cybersecurity and emergency response issues, this bill would go a long way in helping to protect the nation’s electric infrastructure from hackers and other bad actors who would attempt to disrupt our energy grid and harm our economy, our daily lives and our overall national security,” House Energy and Commerce Chair Frank Pallone (D-N.J.) said on the House floor before the bill’s passage.

The House passed the same bill during the last Congress but it never advanced in the Senate. This year, there’s more momentum, including a Senate-introduced companion bill (S. 2302) from Sens. John Barrasso (R-Wyo.), ranking member of the Senate Energy and Natural Resources Committee, and Risch. Manchin and King signed onto the earlier letter to Granholm urging for the CESER position to be elevated, signaling potential for bipartisan cosponsors to back the bill.

Risch thinks the role should be a Senate-confirmed assistant secretary to show that cybersecurity and emergency response are a priority. The recent ransomware attacks underscore the urgency of filling this position, a Risch spokesperson said.

Sen. Lisa Murkowski (R-Alaska), former chairman of the Senate Energy and Natural Resources Committee, said cybersecurity was important when CESER was created in 2018. “It’s even more timely now, so I think it’s important that we try to get good people into these positions so they can do the job that we’ve tasked them to do.”

Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, thinks CESER is best served by a Senate-confirmed leader and not lowered to a career position.

“Downgrading the role, in perception and/or practice, is short-sighted, especially in light of the cyber threat facing our country,” he said. “The head of CESER ought to be commensurate with the weight of the mission and have the gravitas, authorities and accountability associated.”

Uncertainty With Acting Role

In the meantime, the CESER office is being led by Acting Assistant Secretary Patricia Hoffman, who was named to the role on Jan. 20 and previously served at DOE during the Trump and Obama administrations.

She is also serving as the acting assistant secretary for the Office of Electricity, and both offices need the full focus of capable individuals, Risch’s spokesperson said.

Under the Federal Vacancies Reform Act, Hoffman can only serve in the acting role until November. But if the White House nominates an assistant secretary before November, Hoffman can serve in the acting role while the nominee is pending at the Senate.

An option to appease Congress could be for the White House to nominate Hoffman’s deputy at CESER, Acting Principal Deputy Assistant Secretary Puesh Kumar.

“Acting doesn’t do you any good. You’re going to have to have someone in there who’s actually doing the job,” said Ronald Marks, a non-resident senior fellow on the Atlantic Council’s Scowcroft Center for Strategy and Security.

To contact the reporter on this story: Rebecca Kern in Washington at rkern@bgov.com

To contact the editors responsible for this story: Giuseppe Macri at gmacri@bgov.com; Bernie Kohn at bkohn@bloomberglaw.com