Today, the White House confirmed that cybersecurity coordinator Rob Joyce will head back to the National Security Agency, where he previously ran the nation’s top hacking team. His departure comes just a week after Tom Bossert, Trump’s cybersecurity czar and Joyce’s boss, was forced out—and leaves the administration without two trusted voices on one of the most important challenges the US faces going forward.

While Bossert’s exit appears to have been engineered by recently installed national security advisor John Bolton, Reuters reports that Joyce will leave of his own accord. But whatever the reasons for their respective absences, losing them will slow the ability of the US to think about big-picture cybersecurity concerns. And replacing them may not be easy.

'Even though no one should be surprised, it doesn’t mean it shouldn’t be an outrage. Jason Healey, Columbia University

To understand the impact of losing both Bossert and Joyce, it’s important to understand exactly what it is they do. As homeland security adviser, Bossert’s purview extended beyond cybersecurity specifically, but America's security from digital threats has nonetheless been an area of particular focus for him since he served as deputy homeland security advisor in George W. Bush’s second term. It was Bossert who called out North Korea for the WannaCry ransomware that threatened to seize up computers around the world in a recent Wall Street Journal editorial, and who briefed the nation on Trump’s cybersecurity executive order last fall. He was also seen as a potentially stabilizing force in a freewheeling administration.

Joyce, meanwhile, brought serious hacker bona fides to the White House earned after years of running the NSA's elite hacking team known as Tailored Access Operations. That experience helped navigate everything from if and when US spy agencies disclose valuable vulnerabilities to the country’s deterrence strategy in an increasingly combative online world.

And combined, the two appear to have led the US reversal in its stance on Russian hacking. Previously, Trump had refused even to acknowledge that Russia had interfered in the 2016 election. Presumably under Bossert and Joyce's guidance, the administration leveled serious sanctions just last month against the country for its cyber misdeeds. After they go, it's unclear what line the US might take against Putin's hackers.

In a statement, White House press secretary Sarah Sanders said that Joyce has “has agreed to stay on as needed to provide continuity and facilitate the transition with his replacement.”

Staff upheaval when a new national security advisor comes in isn’t uncommon. But losing the two top people responsible for US cybersecurity policy in short succession—without having replacements lined up—concerns close observers.

“Even though no one should be surprised, it doesn’t mean it shouldn’t be an outrage,” says Jason Healey, a cyberconflict researcher at Columbia University who served the George W. Bush administration as the director of cyber infrastructure protection. “Right when the cyber challenges are going to be significantly picking up, we just don’t have any team there.”

The impact won’t be felt as acutely day to day, says J. Michael Daniel, who served in Joyce’s role under President Barack Obama and currently heads up the Cyber Threat Alliance nonprofit. “On the incident side, if something bad happens and we need to respond, that can be done and will continue to happen, and I have confidence in our ability to respond to that,” Daniel says.

But until Bolton finds suitable replacements, expect big-picture progress to come to a standstill. “You would have to expect that there’s going to be a slowdown in the policy process,” says Daniel. “It would be foolish to think otherwise.”

'You would have to expect that there’s going to be a slowdown in the policy process.' J. Michael Daniel, Cyber Threat Alliance

There’s never a good moment to be without cybersecurity policy leadership—well, OK, maybe the 19th century—but these happen to be especially fraught times. Russia has been poking at the US grid and routers worldwide. Trump seems determined to decertify the nuclear deal with Iran, a country that has seen its share of brazen hacks recently. And North Korea remains a geopolitical wild card with impressive cybercapabilities. Strategies need to be formed. Decisions need to be made. With Bossert gone and Joyce on the way out?