The Department of Cyber?

As some nations unify their cybersecurity operations, there are calls for a similar effort to create a single agency for civilian cyber authorities in the U.S.

 

Policymakers and members of Congress have increasingly called for a "whole of government" response to cybersecurity threats, including foreign election meddling and critical infrastructure protection, and a formal, unified cyber doctrine to govern U.S. policy.

One idea – that of a single, consolidated agency with authority over most civilian cyber operations – is garnering increased attention from both nation states and policy analysts.

In February, Microsoft put out a white paper laying out best practices for a single national cybersecurity agency that drew from the company's experiences dealing with governments around the world. Such agencies should have a clear statutory mandate to manage policy, the ability to conduct outreach to industry and allies, oversee regulation of private industry and coordinate emergency incident response.

Paul Nicholas, Microsoft's senior director of digital trust, said in a blog post that his team's research indicates that "today over half of the world's countries are leading some sort of national level initiative for cybersecurity, with countless other efforts at sectoral, state, city, or other levels."

The paper notes that many cybersecurity agencies derive their authorities by delegating existing powers from other parts of government. Nicholas wrote that this can leave agencies bogged down by underlying regulations that "create a quagmire of laws, bodies, and processes."

Curtis Dukes, former director of the Information Assurance Unit at the National Security Agency and executive vice president at the Center for Internet Security, also has argued in favor of a consolidated cybersecurity agency within the U.S. government, though he emphasized that a military-civilian split would still be necessary to provide clear lines of delineation about when a particular policy or action should be considered an act of war.

Still, Dukes expressed frustration at the way cybersecurity authorities have been so widely dispersed throughout the federal government, arguing that it leads to confusion among congressional overseers and slower response times as agencies become caught up in jurisdictional turf battles.

"We've created [memorandums of agreement), we've created PowerPoint charts about how it all works, but the reality on the ground is that there's just a lot of inefficiency there about who responds and how," said Dukes. "We really are sending confusing signals on who's actually in charge and providing the level of support and clear line of command."

While some, like Adm. Mike Rogers, outgoing head of the National Security Agency and Cyber Command, have said they believe the structure for cyber authority among agencies is well defined, that structure is not always easily understood by outside stakeholders. At a Feb. 27 Senate Armed Services Committee hearing, lawmakers asked Rogers what CyberCom was doing to strike back at Russia for election meddling, protect election infrastructure and police contractors who show their source code to foreign governments. None of those actions fall directly under the jurisdiction of U.S. Cyber Command, and senators expressed irritation and dissatisfaction when told so by Rogers.

"The concern I have is who's in charge? Unless there's somebody who's responsible for coordinating activities for dealing with what [DHS] is doing and Cyber Command is doing and what DoD is doing and what the White House is doing, nobody is going to be in charge," said Sen. Jeanne Shaheen (D-N.H.).

The calls in Congress, the media and the public for a more coherent and unified cyber doctrine can at times belie just how dispersed cybersecurity policy authority and jurisdiction is throughout the federal government. The NSA, Department of Homeland Security, Department of Defense and the Federal Bureau of Investigation occupy leading positions in the hierarchy, overseeing major policy areas like electronic warfare, cybercrime, defense of federal networks and critical infrastructure.

DHS' National Protection and Programs Directorate has emerged as a hub for many – but not all – federal civilian cybersecurity initiatives. Two years ago, House Homeland Security Committee Chairman Michael McCaul (R-Texas) echoed many of the same concerns about the need for more centralized cybersecurity authorities housed within a single agency.

That push resulted in a bill, the Cybersecurity and Infrastructure Security Agency Act of 2016, that would have elevated NPPD to a full agency with four divisions and the authority to coordinate with other agencies on all matters related to cybersecurity and critical infrastructure protection. That mandate was included in a Senate bill to authorize the Department of Homeland Security, which passed out of committee in March and is awaiting consideration in the full Senate.

Dukes said the legislation is a good start, but that the new agency will need additional support and authority to cut across departments and implement policy solutions at speed. He pointed to the establishment of centralized cyber agencies in countries like the U.K. and Canada as examples of where governance models are trending.

Elements within DHS also are looking to leverage their existing authorities to take a more holistic view. In an annual review released April 2, The National Cybersecurity and Communications Integration Center detailed how it spent much of 2017 conducting an internal review of operational efficiency.

The organization expanded its information sharing capabilities, integrated the U.S. and Industrial Control Systems Computer Emergency Readiness Teams into a single functional structure and consolidated national exercise and training programs. The department has also spent the past few years standing up programs, like Continuous Diagnostics and Mitigation and Automated Indicator Sharing, that can look across both government and industry for emerging cyber threats.

Suzanne Spaulding, former undersecretary of NPPD, expressed skepticism about the need for a consolidated cyber agency, telling FCW, "I've seen this movie before," and comparing it to calls for a standalone agency dedicated to counterterrorism efforts and weapons of mass destruction.

While the creation of the Department of Homeland Security and the National Counterterrorism Center did centralize many national security functions, it still receives criticism today for being a Frankenstein monster of disparate agencies and missions stitched together to serve the common goal of preventing more 9/11 style attacks. Spaulding pointed out that the FBI and intelligence agencies still play critical counterterrorism roles that didn't change just because Congress wanted a one-stop shop for security policymaking.

"When they set up NCTC they tried to set up an operational entity that would coordinate across government…all counterterrorism operational activity. It was overly ambitious," said Spaulding. "When there's a terrorist incident in the United States, people don't turn to NCTC and say 'how could you let this happen?'"

Spaulding said that while the status quo may cause confusion and griping, a unified agency would create as many problems as it solves. She argued that where centralization makes sense, the government has already taken steps to do so, but that in large part policy authority has organically sorted to the agencies with the most expertise.

"There's an expertise associated with regulating financial institutions that you shouldn't have to recreate," said Spaulding. "The Department of Energy, they're the experts on the electric grid. They ought to have an important role in cybersecurity of the electric grid."

She worries that untangling authorities from different agencies or viewing the problem through the prism of technology may end up separating decision making from the people who are best positioned to determine their policy impact.

"Your IT folks can tell you the consequences to the computer network, but they're not really going to be in a position to tell you the impact on the business," she said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.