Michael Figueroa, Executive Director, Advanced Cyber Security Center
Several Federal agencies are tasked with protecting our interests from cyber security threats. Most notably, the FBI and DHS take strong leadership in this area, but just about every agency from the Treasury to the FCC has a role to play.
Last spring, the White House decided against retaining the National Security Council Cyber security Coordinator position. An unassuming title for a vital job, the coordinator served as the country’s “cyber czar,” tasked with collaborating with cyber security resources across federal agencies to distill a fire hose of a threat intelligence down to a prioritized list for the President’s review. The coordinator had the best position to not only examine the breadth and depth of the cyber security attack domain, but to assess the country’s position to respond defensively, offensively, and diplomatically.
Our adversaries are getting more sophisticated in their cyber attacks. From economic espionage, to intellectual property theft, to probes on our critical infrastructure, to foreign influence campaigns using social media platforms, and now “deep fake” content attacks that distribute digital impersonation videos of people doing and saying things that they never did or said, the country is facing a threat condition. The ACSC believes that it is imperative to have strong, knowledgeable leadership at the highest levels of our government to harness resources and coordinate public/private response. For that reason, we submit that the President should reinstate the cyber security coordinator role and empower it build the partnerships and intelligence-aggregating functions needed to counter modern threats.
The Cyber Czar Role
This administration has struggled recently to establish a robust cybersecurity policy. The Administration released its National Security Strategy for the United States in December 2017, a policy document stated cyber security concerns as critical for national security. Unfortunately, the strategy followed the theme established in an earlier Executive Order by passing off national cyber security responsibilities primarily to industry, with such statements as, “the U.S. Government will work with the private sector to remediate known bad activities at the network level to improve the security of all customers. Malicious activity must be defeated within a network and not be passed on to its destination whenever possible.”
Michael Sulmeyer, the Belfer Center’s Cyber Security Project director at the Harvard Kennedy School (an ACSC member), called this “trickle-down cyber security,” responding, “we get more bang for our buck if the government and large service-providers can block threats before they reach businesses and operators of important systems.”
Then in July 2018, Vice President Pence and DHS Secretary Kirstjen Nielsen unveiled plans for a DHS National Risk Management Center and kicked off a campaign emphasizing public/private sector collaboration. That Center is a good start to something the ACSC has been discussing for years, the need for public and private entities to collaborate against larger digital threats. By collaboration, we mean a vigorous passing of information back and forth between the government and private sectors. Too many times in the past, private industry was promised “a conversation” and found itself on a one-way street — passing information over to the government and receiving very little value in return. This effort at DHS is a promising step, but it’s focus on critical infrastructure risks and its positioning within one agency severely restricts the benefit potential.
Collaboration Is Key
Building stronger cyber security defenses is a daunting task that the Administration cannot achieve without broad public and private sector collaboration, deprioritizing the Administration’s leadership position places the U.S. at a severe disadvantage on the global stage. Back in 2009, cyber security policy expert and early ACSC champion Melissa Hathaway, who led President Obama’s 60-day cyber security policy review as Assistant to the President for National Security Affairs and whose report helped shape the job description of the cyber security coordinator position, discussed the merits of having a strong cyber security leader in the White House. “[T]he government is moving out on a number of different areas, but sometimes you need a coach or the team lead to help get everybody continuing to work toward specific goals.”
Responding to reports of the position’s elimination, U.S. Navy Rear Admiral (ret.) and member of the ACSC Board of Directors Michael Brown, stated, “I think the position should be retained – and upgraded as per the Cyber Security Commission’s recommendations in 2016. Both the George W. Bush and the Obama administrations recognized that cyber security is a critical mission and priority for the nation, affecting national security and public safety. And it has been recognized through prior administrations, both Republican and Democrat, that cyber security is a whole of government responsibility. For that reason, and the need to be engaged strategically with other nations and the private sector, the nation needs a leader focused on cyber security and working directly for the President.”
The government needs to do more than say that cyber security is a national security imperative. It needs to demonstrate it to our adversaries through clear and substantial force projection. Cyber attacks have leveled the global playing field and the country needs strong leadership to regain our historical advantage. State-sponsored and criminal syndicate hackers are developing capabilities that can cause as much damage as conventional weapons. Defending against these attacks requires strong coordination to effectively harness the power of collective resources across the public and private sectors. At its most basic, the cyber czar position is not only critical for advising the President on how the government should defend itself. It serves as a critical conduit for organizing industry and coordinating response to community-level threats. The US has substantial cyber defense capabilities and thought leadership ready to assist if called upon. Our government needs to stop making excuses and start working the way it should, harnessing that power to modernize our defensive profile.
Keeping Cyber Defenses Strong
The US government is showing signs of being unable to effectively respond to major, community-level cyber security events. Many of the top people in cyber security positions across the government have left in recent months to seek work and shelter in the private sector. The exodus has shifted the top talent out of government, further depleting its leadership potential. To continue ceding its defensive capabilities to industry would not only further weaken our country’s ability to defend itself en masse, it would leave vulnerable all state and local municipal organizations that lack the resources that they need to defend against common attacks. A renewed cyber czar position, assumed by an individual with industry respect, could establish a strategy to give civil servants stronger purpose and help stem the tide of departures.
While the private sector’s cyber threat perception and intelligence gathering capabilities far exceed that of the government, the intelligence community’s ability to aggregate and process unstructured information from varying data sources is superior. Reducing the ability for the Administration to build constructive engagement with industry by eliminating key leadership positions will only widen the trust gap, making it more difficult for the Nation to respond to community-level threats when they occur.
The ACSC echoes Adm. Brown’s recommendation that the Administration bring back the cyber security coordinator position, and also elevate it to report directly to the President. Furthermore, we urge the President to charge the position to leverage the Nation’s independent security information sharing groups, including the ACSC, to establish stronger trustworthy communications with the private sector. Doing so will better prepare the Nation to actively defend against advanced cyber security threat agents rather than be forced into a position of responding and recovering from inevitable attack.
About the Author: Michael Figueroa, executive director of the Advanced Cyber Security Center (ACSC), a regional collaborative building a stronger community defense to solve common cyber security problems across Massachusetts and New England.