The Department of Cyber?
- By Derek B. Johnson
Policymakers and members of Congress have increasingly called for a "whole of government" response to cybersecurity threats, including foreign election meddling and critical infrastructure protection, and a formal, unified cyber doctrine to govern U.S. policy.
One idea – that of a single, consolidated agency with authority over most civilian cyber operations – is garnering increased attention from both nation states and policy analysts.
In February, Microsoft put out a white paper laying out best practices for a single national cybersecurity agency that drew from the company's experiences dealing with governments around the world. Such agencies should have a clear statutory mandate to manage policy, the ability to conduct outreach to industry and allies, oversee regulation of private industry and coordinate emergency incident response.
Paul Nicholas, Microsoft's senior director of digital trust, said in a blog post that his team's research indicates that "today over half of the world's countries are leading some sort of national level initiative for cybersecurity, with countless other efforts at sectoral, state, city, or other levels."
The paper notes that many cybersecurity agencies derive their authorities by delegating existing powers from other parts of government. Nicholas wrote that this can leave agencies bogged down by underlying regulations that "create a quagmire of laws, bodies, and processes."
Curtis Dukes, former director of the Information Assurance Unit at the National Security Agency and executive vice president at the Center for Internet Security, also has argued in favor of a consolidated cybersecurity agency within the U.S. government, though he emphasized that a military-civilian split would still be necessary to provide clear lines of delineation about when a particular policy or action should be considered an act of war.
Still, Dukes expressed frustration at the way cybersecurity authorities have been so widely dispersed throughout the federal government, arguing that it leads to confusion among congressional overseers and slower response times as agencies become caught up in jurisdictional turf battles.
"We've created [memorandums of agreement), we've created PowerPoint charts about how it all works, but the reality on the ground is that there's just a lot of inefficiency there about who responds and how," said Dukes. "We really are sending confusing signals on who's actually in charge and providing the level of support and clear line of command."
While some, like Adm. Mike Rogers, outgoing head of the National Security Agency and Cyber Command, have said they believe the structure for cyber authority among agencies is well defined, that structure is not always easily understood by outside stakeholders. At a Feb. 27 Senate Armed Services Committee hearing, lawmakers asked Rogers what CyberCom was doing to strike back at Russia for election meddling, protect election infrastructure and police contractors who show their source code to foreign governments. None of those actions fall directly under the jurisdiction of U.S. Cyber Command, and senators expressed irritation and dissatisfaction when told so by Rogers.
"The concern I have is who's in charge? Unless there's somebody who's responsible for coordinating activities for dealing with what [DHS] is doing and Cyber Command is doing and what DoD is doing and what the White House is doing, nobody is going to be in charge," said Sen. Jeanne Shaheen (D-N.H.).
The calls in Congress, the media and the public for a more coherent and unified cyber doctrine can at times belie just how dispersed cybersecurity policy authority and jurisdiction is throughout the federal government. The NSA, Department of Homeland Security, Department of Defense and the Federal Bureau of Investigation occupy leading positions in the hierarchy, overseeing major policy areas like electronic warfare, cybercrime, defense of federal networks and critical infrastructure.
DHS' National Protection and Programs Directorate has emerged as a hub for many – but not all – federal civilian cybersecurity initiatives. Two years ago, House Homeland Security Committee Chairman Michael McCaul (R-Texas) echoed many of the same concerns about the need for more centralized cybersecurity authorities housed within a single agency.
That push resulted in a bill, the Cybersecurity and Infrastructure Security Agency Act of 2016, that would have elevated NPPD to a full agency with four divisions and the authority to coordinate with other agencies on all matters related to cybersecurity and critical infrastructure protection. That mandate was included in a Senate bill to authorize the Department of Homeland Security, which passed out of committee in March and is awaiting consideration in the full Senate.
Dukes said the legislation is a good start, but that the new agency will need additional support and authority to cut across departments and implement policy solutions at speed. He pointed to the establishment of centralized cyber agencies in countries like the U.K. and Canada as examples of where governance models are trending.
Elements within DHS also are looking to leverage their existing authorities to take a more holistic view. In an annual review released April 2, The National Cybersecurity and Communications Integration Center detailed how it spent much of 2017 conducting an internal review of operational efficiency.
The organization expanded its information sharing capabilities, integrated the U.S. and Industrial Control Systems Computer Emergency Readiness Teams into a single functional structure and consolidated national exercise and training programs. The department has also spent the past few years standing up programs, like Continuous Diagnostics and Mitigation and Automated Indicator Sharing, that can look across both government and industry for emerging cyber threats.
Suzanne Spaulding, former undersecretary of NPPD, expressed skepticism about the need for a consolidated cyber agency, telling FCW, "I've seen this movie before," and comparing it to calls for a standalone agency dedicated to counterterrorism efforts and weapons of mass destruction.
While the creation of the Department of Homeland Security and the National Counterterrorism Center did centralize many national security functions, it still receives criticism today for being a Frankenstein monster of disparate agencies and missions stitched together to serve the common goal of preventing more 9/11 style attacks. Spaulding pointed out that the FBI and intelligence agencies still play critical counterterrorism roles that didn't change just because Congress wanted a one-stop shop for security policymaking.
"When they set up NCTC they tried to set up an operational entity that would coordinate across government…all counterterrorism operational activity. It was overly ambitious," said Spaulding. "When there's a terrorist incident in the United States, people don't turn to NCTC and say 'how could you let this happen?'"
Spaulding said that while the status quo may cause confusion and griping, a unified agency would create as many problems as it solves. She argued that where centralization makes sense, the government has already taken steps to do so, but that in large part policy authority has organically sorted to the agencies with the most expertise.
"There's an expertise associated with regulating financial institutions that you shouldn't have to recreate," said Spaulding. "The Department of Energy, they're the experts on the electric grid. They ought to have an important role in cybersecurity of the electric grid."
She worries that untangling authorities from different agencies or viewing the problem through the prism of technology may end up separating decision making from the people who are best positioned to determine their policy impact.
"Your IT folks can tell you the consequences to the computer network, but they're not really going to be in a position to tell you the impact on the business," she said.