Andrew Grotto named CISAC fellow

Andrew J. Grotto, a former top National Security Council cybersecurity official in the White House, will join Stanford’s Center for International Security and Cooperation this summer.

Grotto will hold the William J. Perry International Security Fellowship and serve as a research fellow at the Hoover Institution. His appointment is for two years, and he will also be a fellow in the Stanford Cyber Initiative

Cybersecurity focus

Grotto has been involved in virtually every major U.S. cyber policy initiative of the past nine years, from his time on Capitol Hill through his tenure in the Obama Administration as Commerce Secretary Penny Pritzker's senior advisor on technology policy, and to his recent service for two presidents as senior director for cyber policy at the National Security Council. 

Amy Zegart, CISAC's co-director for the social sciences and a senior fellow at the Hoover Institution, said, "Grotto is one of the world's leading cyber policymakers. He brings deep knowledge, penetrating insights, and experience at the highest levels on issues ranging from trade to espionage to cyber warfare. We are delighted to have him join the cyber community at CISAC and Hoover."

In an interview, Grotto said that cyber policy remains underdeveloped as a distinct policy domain. And that has drawn him to CISAC, he noted, “for its commitment to becoming a leading institution supporting the development of this domain.”

Grotto added, “In more established national security domains, such as nonproliferation and counterterrorism, there is a well-developed corpus of scholarly work, historical precedent, and practical experience within the domain that we can draw from to inform, contextualize and evaluate policy decisions. This corpus is still thin with respect to cyber policy making. We don’t have the luxury of waiting decades to create this corpus for cyber – we need to develop it quickly.” 

Grotto first became familiar with CISAC's work during an earlier phase of his career when he focused on U.S. policy towards nuclear weapons - how to prevent their spread, and their role in U.S. national security strategy. CISAC core faculty member Scott Sagan was an early mentor of Grotto’s and first exposed him to CISAC and its scholarly work. Grotto describes the center as a “first-rate research institution at a world class university, with great people. I'm thrilled to be a part of it.”


Topics to explore

Cybersecurity policy is a vast field, Grotto said, because virtually every national security challenge facing the country has a cyber dimension to it. 

“I'd be hard pressed to identify a single directorate within the National Security Council that my team and I did not at some point work with on a ‘cyber and…’ problem: cyber and the financial services sector, cyber and the electric grid, cyber and global economic competitiveness, cyber and China, to name a few. So, there's no shortage of cyber-related topics to write on,” he said. 

Several policy problems stand out as foundational for Grotto, and these will be the focus of his research and writing while at CISAC:

• Development of analytic frameworks for defining the dimensions and boundaries of private sector responsibility, especially infrastructure, for defending against cyber threats, versus the government’s responsibility, and using these frameworks to evaluate cybersecurity regulation and identify opportunities and challenges for more effective cybersecurity partnerships between the government and the private sector.

• Cyber-enabled information operations as both a threat to, and a tool of statecraft for, liberal democracies.

• Opportunities and constraints facing offensive cyber operations as a tool of statecraft, especially those relating to norms of sovereignty in a digitally connected world. 

For example, Grotto explained, an adversary physically located in Country X may have cyber infrastructure in Country Y and Country Z, such that an operation against that adversary generates effects in one or more third countries. “How we approach this ‘third country’ issue will have dramatic ramifications for the practical role of offensive cyber operations in U.S. national security strategy,” he noted.

• Governance of global trade in information technologies, especially cybersecurity-related regulation, norms of behavior in cyberspace for governments and private actors, and the appropriateness of applying traditional arms control tools such as export controls to limit the proliferation and use of malicious cyber capabilities.

National Security Council highlights

Grotto said working at the National Security Council was “a privilege of a lifetime. It was the most challenging and intense job I have ever had, and easily the most rewarding.” 

His portfolio spanned a range of cyber policy issues, including defense of critical infrastructure—financial services, energy, communications, transportation, health care, electoral infrastructure, and other vital sectors—cybersecurity risk management policies for federal networks, consumer cybersecurity, and cyber incident response policy and incident management. He also covered technology policy topics with a nexus to cyber policy including encryption, surveillance, privacy, Internet of Things, and the national security dimensions of artificial intelligence and machine learning. 

Grotto said his first job out of graduate school was at a prominent Washington, D.C. think tank. “I viewed it as a waypoint on the path to becoming a law professor, and an academic career focused on international trade law and policy,” he said.

There he was surrounded by people who had served in government, and their “passion for public service was infectious,” he recalled.

He left the think tank to join the Professional Staff of the Senate Select Committee on Intelligence, where he served as then-Chairman Dianne Feinstein’s (D-CA) lead staff overseeing cyber-related activities of the intelligence community and all aspects of NSA’s mission. He also served as committee designee first for Senator Sheldon Whitehouse (D-RI) and later for Senator Kent Conrad (D-ND), advising the senators on oversight of the intelligence community, including of covert action programs, and was a contributing author of the “Committee Study of the Central Intelligence Agency’s Detention and Interrogation Program.”

In 2013, he left the committee to become Commerce Secretary Penny Pritzker’s senior advisor on technology policy, advising Pritzker on all aspects of technology policy, including Internet of Things, net neutrality, privacy, national security reviews of foreign investment in the U.S. technology sector, and international developments affecting the competitiveness of the U.S. technology sector.

While serving on the NSC, Grotto played a key role in shaping President Obama’s Cybersecurity National Action Plan and driving its implementation. He was also the principal architect of the Trump Administration's cybersecurity executive order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”

During his time on Capitol Hill, he led the negotiation and drafting of the information sharing title of the Cybersecurity Act of 2012, which later served as the foundation for the Cybersecurity Information Sharing Act that President Obama signed in 2015.

Grotto received a master’s degree in public administration from Harvard University, a law degree from UC Berkeley, and a bachelor’s degree in philosophy from the University of Kentucky.


Andy Grotto, Center for International Security and Cooperation:

Clifton B. Parker, Center for International Security and Cooperation: 650-725-6488,