Cybersecurity: Emerging Partnerships
by Richard Weitz
Cybersecurity is an inherently interagency process requiring a “whole-of-government” approach.
The head of the National Security Agency (NSA), Gen. Keith Alexander, has called cybersecurity “a team sport” requiring effective partnerships among Government agencies, the private sector, foreign allies and others.
Loss of U.S. critical information networks could lead to massive harm to the public’s safety and welfare, as well as threatening DoD operations. Emergency services depend on the Internet to communicate and coordinate their response. The stability of the U.S. banking system depends on people’s belief that their money and financial information are secure. Electric power networks, which support other critical infrastructure networks, are vulnerable to cyberattacks.
When he came into office, Obama quickly launched a White House “Cyberspace Policy Review.”
Its May 2009 report identified a fundamental interagency problem in the cyber domain: “Responsibilities for cybersecurity are distributed across a wide array of Federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way.”
A subsequent U.S. Government Accountability Office (GAO) report found that U.S. Government agencies have overlapping and uncoordinated responsibilities for cybersecurity activities that still have not been clarified by the recent cybersecurity initiatives. Responsibility for U.S. cybersecurity remains divided, with:
- The Department of Defense (DoD) responsible for protecting military networks, drawing heavily on the resources at the National Security Agency (NSA)
- The Department of Homeland Security (DHS) is tasked with defending federal civilian networks as well as helping protect private sector networks in the United States
- The Department of State responsible for negotiating agreements with foreign governments and engaging in dialogue with governments over the proper management of the Internet
- The private sector charged with securing its own networks, with the assistance of the FBI and other national, local and international law enforcement bodies
A March 2009 report by the Task Force on National Security in the Information Age warned about persistent cyber vulnerabilities due to the continuing failure of U.S. Government agencies and other organizations to share information effectively.
Extensive classification could also disrupt the already-troubled campaign to reorient U.S. Government information managers from the traditional “need-to-know” philosophy to one embodying a “need-to-share” attitude.
The success of the September 2001 terrorist attacks and the December 2009 attempted bombing of a Northwest Airlines flight over Detroit have led many to stress the importance of ensuring that national security managers have access to all available information so that they can identify and understand current and emerging threats most effectively.
Combating malicious activities on the Internet requires much greater cooperation among federal entities, as well as state and local governments, foreign countries, and the private sector. Yet, it is unclear which U.S. Government body has budget and enforcement authority in the cybersecurity domain, which makes the interagency process difficult to coordinate. The NSA has the greatest capabilities of any cyber organization within the U.S. Government. Although it plays a key supporting role for both DHS and DoD, its role in protecting critical private-sector infrastructure remains contested.
GAO warned that security vulnerabilities will persist until the roles and responsibilities for cybersecurity activities across the Federal Government are more clearly defined and coordinated. GAO analysts also cite a lack of measurements for effectiveness to gauge progress. Members of Congress complain that U.S. cybersecurity policy has remained disjointed, ineffective and uncoordinated. They call for a comprehensive cybersecurity strategy backed by aggressive implementation of effective security measures.
At the same time, the Congress has failed to address cyber and other homeland security threats in an integrated manner.
Its committee structure is poorly structured to oversee many cyber policy and legal challenges. The sweeping nature of cyber issues, which affect many sectors of American society as well as the military, traditionally presents problems for Congress’s specialized committee structure. Few members have considerable expertise regarding cyber issues. Those interested in the issue have offered a range of conflicting recommendations.
Congress may want something to be done (as indicated in the scenario), but lacks the “command authority” to direct a timely national response. Instead, members are looking for the White House to coordinate an integrated inter-agency response to the immediate crisis while proposing for Congressional consideration new legislation that would help avert similar crises in the future.
In opening the February 2, 2012 hearing of the House Select Committee on Intelligence, the Committee chairman, Representative Mike Rogers, said that “I believe our problem here is — I hate to say it — the United States Congress. There are some 30 bills, cyber bills, out there. Again, we have looked, studied and understood the problem. There are lots of approaches. But at the end of the day, we must act. Congress must act.”
A prominent 2008 Center for Strategic and International Study (CSIS) commission study that influenced the thinking of the Obama Administration argued that cybersecurity was so important that the White House had to take the lead in promoting it. The commission therefore advocated creating “an officer within the Executive Office of the President who has the responsibility to evaluate and approve all cyber-specific and cyber-related funding across the Federal Government agencies.”
The expectation was that such a Czar would have the status and authority to induce the independent departments and agencies with cyber roles, missions and responsibilities to adjust their policies to support Government-wide needs more effectively. Another hope was that, since the Czar would represent the White House rather than DHS or another Government department, he or she would more readily be seen as an honest broker defending the national interest as opposed to that of a single agency. Opponents argued that creating a White House cybersecurity Czar would simply create new turf battles and exacerbate disputes over authority. They also worried that setting up the new office would engender further delays as the new structure spent time becoming fully functional. They advocated instead giving DHS additional authority and resources to allow it to perform its original civilian cybersecurity Mission more effectively.
The Obama White House cybersecurity review also cited the need for a new national strategy that better defines agency roles and responsibilities.
To that end, the Obama Administration has created a new position of White House Cybersecurity Coordinator (aka “Czar”—a misleading term) to help integrate the interagency response.
In late December 2009, the Obama Administration selected Howard Schmidt to fill the new position of White House Cybersecurity Coordinator. Schmidt, formerly President and CEO of the Information Security Forum, serves on the National Security Council (NSC) staff, but also works closely with the National Economic Advisor. He is part of the policy apparatus rather than the emergency response chain.
In addition, he is responsible for coordinating interagency staff work in preparation for cyber-related NSC meetings; monitoring follow-up actions assigned by the NSC; and periodically briefing the National Security Advisor and the President about current cyber issues.
The powers of the new czar should not be exaggerated.
Schmidt does not have budget authority over the cyber programs of the U.S. Government departments and agencies that he formally supervises.
As a result, he lacks means to force these agencies, whose heads are confirmed by Congress, to implement specific policies. His influence depends heavily on the agency heads’ relationships with the President. Schmidt’s main role is to give voice to cybersecurity concerns within interagency deliberations. He serves as a point of contact for all cybersecurity-related issues and participates in counterterrorism, technology and other discussions that could affect the Government’s cybersecurity policies. Schmidt also works with state and local governments to strengthen U.S. national cybersecurity (i.e., extending beyond Federal agencies). His most important contribution will be to improve policy integration among U.S., state, local and perhaps private cyber actors by identifying dangerous gaps and unwelcome redundancies in their programs.
In addition to Schmidt’s work in defining agency responsibilities, the DHS-led National Cyber Incident Response Plan aims to define more clearly the roles and responsibilities for all of the Federal Government players and the private sector in the event of a cyber incident that affects national security.
DHS has been testing the draft plan in its Cyber Storm exercise series.
But U.S. officials acknowledge that the U.S. Government will need to revise these roles and responsibilities as U.S. capabilities and the threat environment change.
In addition, responsibility for most U.S. cybersecurity resides with the owners and managers of the critical private-sector infrastructure, such as communications, transportation and the financial sector. And even within the Government, the expectation is that each department or agency has to assume primary responsibility for securing its own networks.
Collective national cybersecurity can be addressed effectively only through a close partnership between the Government and private industry. The Government has the legal authority required to organize markets, enforce laws and protect citizens’ privacy and property. On the other hand, the vast majority of cyberspace infrastructure is privately owned and operated. Private industry has most of the expertise in the field of cybersecurity, as well as in the various critical infrastructure sectors that could be threatened by cyber threats. Whereas the Federal Government will have the most comprehensive knowledge of potential terrorist threats, the operators of the private-sector networks will likely know first when something is amiss with those networks.
DoD and DHS are developing several connections to collaborate on their approach to cyberspace.
Both rely on the National Security Agency (NSA) for technical expertise regarding network issues. Within DoD, the Under Secretary of Defense for Policy (USD/P) has people who engage daily with their DHS counterparts on homeland defense issues. They exchange intelligence on potential threats through numerous channels. And they engage through interagency meetings run by the White House and other coordinating bodies. Still, they all have diverging perspectives and priorities, and tensions still arise over using the U.S. military for domestic issues, as well as over the imbalance of resources in favor of the Pentagon.
DoD and DHS signed a joint memorandum on “Enhancing Coordination to Secure America’s Cyber Network” that discusses how they will cooperate further. For example, the memorandum calls for “[embedding] DoD cyber analysts within DHS to better support the National Cybersecurity and Communications Integration Center (NCCIC) and [sending] a full-time senior DHS leader to DoD’s National Security Agency, along with a support team comprised of DHS privacy, civil liberties and legal personnel.” The agreement was subsequently codified in legislation. Since the threat environment continues to evolve, the cooperation between the two departments, and the coordination mechanisms between them, will presumably change constantly.
The new National Cybersecurity Center (NCSE) is dedicated to enabling collaboration across the six existing agency cyber centers, such as those run by the FBI for law enforcement purposes.
The goal is to share information and achieve common situational awareness across all of the different areas of data and knowledge available to the U.S. Government. However, due to a lack of coordination among the top level of agencies and the White House, the center has not been fully operational and it is unclear what responsibilities it is to assume for the Federal Government as a whole.
Meanwhile, the private sector, distrustful of what it sees as government weaknesses in this area, has yet to cooperate comprehensively with government authorities to address this problem or invest sufficient resources to defend its equities from a crippling attack. The private sector controls some ninety percent of the critical infrastructure in the United States–which includes power grids, communications networks, financial services, and means of transport.
DNI Clapper has said that the government needed the private sector’s help to address the two most immediate cyber threats identified by the U.S. Intelligence Community:
(1) the difficulty of providing timely, actionable warning of cyber threats and incidents, such as identifying past or present security breaches, definitively attributing them, and accurately distinguishing between cyber espionage intrusions and potentially disruptive cyber attacks; and
(2) the highly complex vulnerabilities associated with the IT supply chain for US networks.
But in many case private businesses are wary of sharing too much information with the Government, for fear that their proprietary information will leak or that they could become liable for any flawed policies. They also have an incentive to keep cyber incidents secret so as not to alarm their customers and investors.
It is crucial for operators of private and public cyber infrastructure to share information about breaches in data security. It took the shock of the 9/11 attacks to increase information sharing between intelligence and law enforcement agencies, but no one wants to wait until a comparable disaster induces much greater intelligence sharing between public and privates sector cyber defenders.
Both private and government operators of cyber infrastructure are inherently vulnerable, which compels a cooperative approach to mitigate the vulnerability of U.S. critical infrastructure, including our financial system, power grid, air traffic control, and reservoir of intellectual property.