Protecting the technology networks connecting more than two million employees working in over 400 government agencies serving about 325 million Americans is a herculean feat. In May, the Office of Management and Budget (OMB) released a report stating 74 percent of these federal agencies are at “high risk or risk” of facing a cyberattack. However, because of the interconnected missions and nature of government networks, if one agency is vulnerable then all are in jeopardy. The solution is not simply for one cyber czar to shepherd those on the National Security Council (NSC) towards sound cyber policy, but rather broadly fostering a government leadership culture that automatically considers cybersecurity when discussing security issues and policy actions.
While it may initially seem beneficial to have a cyber champion in the room during national security discussions with the president, it is better if everyone at the table is a cyber advocate. This means department secretaries should be in lockstep with their own cyber experts. Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) need to have a seat at the table with department leadership. Unfortunately, in the government most CIOs do not report directly to the secretary or deputy secretary, which is considered industry best practice, and it will take more than just issuing an executive order to make this a reality. By not including CIOs and CISOs in enterprise discussions, agencies are not exercising holistic approaches to cyber security.
Reporting directly to cabinet secretaries would also enable CIOs and CISOs to provide input during the budgeting process to support coherent cybersecurity campaigns. Without funding, it is impossible to bake cyber solutions into agency-wide initiatives before adversaries gain access. Currently, for basic cybersecurity efforts, like firewalls and mission responses, cyber leaders must work around a lack of access to certain systems outside the CIO’s domain and funding to carryout the simple actions. Fortunately, a collaborative spirit is alive among government CIOs. The 28 CIOs on the Federal CIO Council are working together to look at strategic cyber solutions, but the majority of CIOs lack the budget authority to put their strategies into action within their own agencies. A key priority for the government should be granting these technology leaders the level of authority necessary to implement cyber defense solutions across their entire domain.
Having this stronger support for CIOs and CISOs, rather than having a visible cyber figurehead in the White House, would more efficiently ensure agencies’ cyber postures improve and cybersecurity is included in conversations at the highest levels.
The White House’s involvement in actively responding to cyber threats is actually fairly limited. Most actions in cyber incident response occur through a network of stakeholder agencies and offices. The Obama Administration created these structures through PPD-41 for United States Cyber Incident Coordination, which outlines agency-wide cybersecurity defense processes.
The key stakeholders based on role are:
• For asset response: the National Cybersecurity and Communications Integration Center (NCICC) within the Department of Homeland Security (DHS)
• For threat response: the National Cyber Investigative Joint Task Force (NCIJTF) within the Federal Bureau of Investigations (FBI)
• For intelligence support: the Office of the Director of National Intelligence (ODNI) through the Cyber Threat Intelligence and Integration Center (CTIIC)
• For managing incident effects on operations, customer and workforce the government will turn to the private sector
The Cyber Incident Coordination plan was created in 2016, about seven years after the creation of the White House cybersecurity coordinator role, and has since shown tangible results. Following the PPD-41 protocols prevented the U.S. government from being significantly impacted by the WannaCry cyberattacks in 2016, one of the largest cyber attacks that impacted at least 150 countries and 200,000 computers. These efforts were spearheaded by DHS through the NCCIC , not the White House cybersecurity coordinator. As presented at the RSA Conference, the NCCIC credits strategic relationships and global information exchange as key to the successful WannaCry response.
Rather than focusing on correcting embedded obstacles and praising proven processes, response to the Trump Administration’s decision to eliminate the cybersecurity coordinator role honed in on politics. Nevertheless, agencies with the responsibility and mission will continue to build capacity to address cybersecurity challenges. DHS is continuing to improve its approach to cybersecurity and released its cybersecurity strategy the same day the White House eliminated the cybersecurity coordinator position. Interagency cooperation is not a new concept and together the government can and will move forward to reduce the Nation’s risk of systemic cybersecurity and communications challenges.
It is important to keep the discourse about cyber policy bipartisan and not to praise or criticize a decision based on the political party of the administration that created or reversed it. President Obama’s own National Security Advisor Susan Rice favored a “lean and mean” NSC. When the nation’s security is at stake, political party messaging should take a backseat to constructive cooperation.
Assuming one person will solve the nation’s response to cyber threats is dangerous. As in collective defense, cyber champions at all levels and in every agency will be critical. The common saying still holds true that cybersecurity is a marathon, not a sprint. But in today’s environment it is a marathon relay– it can only be accomplished with a team that understands how to seamlessly pass the baton from one teammate to another.