Sep 14, 2018
Does the United States Need a National Cybersecurity Agency?
General David Petraeus, the former Director of the CIA, published an Op-Ed in Politico recently that advocates for the creation of a new, independent National Cybersecurity Agency (NCA) “to take the lead in protecting our critical infrastructure.” Co-authored with Kiran Sridhar, the Op-Ed expresses concern that the government’s current “grab bag” approach to cybersecurity isn’t working.
Almost everyone I have ever spoken to about this issue agrees that the government’s cyber program is dangerously deficient despite a lot of effort by smart people.
Almost everyone I have ever spoken to about this issue agrees that the government’s cyber program is dangerously deficient despite a lot of effort by smart people. However, does the US need an NCA, or something else? Could existing structures be modified to achieve the same goals? These are vital questions that must be asked at this risky moment.
A need for greater authority in cybersecurity
Petraeus and Sridhar acknowledge the Department of Homeland Security’s (DHS) work on cyber to date, but they believe an independent agency could be the vehicle for realizing a much-needed strengthening of the cybersecurity posture of the United States. In their view, the DHS cybersecurity strategy is late to the game.
General David Petraeus
“The organization lacks a sufficient ‘brand’ to recruit and retain top talent,” the Op-Ed states, adding, “Many companies have proven reluctant to collaborate with it.” According to Petraeus and Sridhar, “As the head of an independent agency, the director would report directly to the president and have the ears of members of Congress to get much needed legislation.”
The Op-Ed also states, “The prestige of a new agency and the cultural shift it would drive would also allow it and, hopefully, the rest of government to build the public-sector talent base we need.” The proposed NCA would, per Petraeus and Sridhar, would provide “an effective coordinating body with the authority to convene companies and government agencies at all levels.”
According to Petraeus and Sridhar, “As the head of an independent agency, the director would report directly to the president and have the ears of members of Congress to get much needed legislation.”
Praise for the NCA concept from the cybersecurity industry
Cybersecurity industry veterans, many of whom have transitioned from government service to the private sector, expressed a range of opinions about the proposed NCA. Some favor the idea. Roman Arutyunov, Co-Founder and VP Products at the ICS security vendor Xage Security, said, “As industries become more interconnected with networks and digital systems sharing information, there needs to be a consistent cybersecurity policy and regulation framework across industries. An NCA could be potentially helpful in accomplishing this goal.”
Hopefully we don’t have to endure a Cyber Pearl Harbor to spur lawmakers into action.
Steven Sprague, CEO of Rivetz, which offers multi-factor authentication solutions, added, “Building an agency focused on strong cyber defense and investing in a transition to only known devices connected to sensitive networks and data would be a strong step forward.”
“Building an agency focused on strong cyber defense and investing in a transition to only known devices connected to sensitive networks and data would be a strong step forward.”
According to Tamara Anderson, VP of Corporate Strategy and General Counsel at PAS, Global, which works in ICS security, “Consolidating the various federal cyber operations into a highly-functional, focused and coordinated organization is imperative.” She noted, however, “Rather than creating a hard-handed, authoritative regulating body, it’s crucial that a new cybersecurity agency collaborate effectively with the private sector, which serves as the guardian of 85% of our critical infrastructure assets.”
Jeffrey Buss, Captain USN (Retired) who ran the US Naval Academy’s Center for Cyber Securities Studies, explained, “No fault to the dedicated folks DHS who are currently tasked with this, it is just not enough and the policies and laws to ensure the successful defense of our citizens in cyber are lacking. Hopefully we don’t have to endure a Cyber Pearl Harbor to spur lawmakers into action.”
Concerns about the viability of an NCA
A number of industry executives I spoke with expressed concerns about the viability and efficacy of a hypothetical NCA. The big question that emerged from these conversations went something like, “Should we stick with the DHS, which is already positioned to do what the NCA might be able to do, or create a new agency?” For instance, Duncan Greatwood, CEO of Xage, commented, “There is already significant information and advice sharing between industry and government, usually spearheaded by DHS and FBI together on the government side, and various consortia on the industry side.”
I put this question to General Petraeus via email. He replied, “I think my OpEd is quite clear about why the NCA needs to be pulled out from under DHS and established as an independent agency, Hugh… Please reread the assessment of DHS in it….” I love the use of my first name. That must come from DoD media training.
I put this question to General Petraeus via email. He replied, “I think my OpEd is quite clear about why the NCA needs to be pulled out from under DHS and established as an independent agency, Hugh… Please reread the assessment of DHS in it….”
In any event, many industry experts were highly skeptical of the NCA concept. Scott Petry, CEO and Co-Founder of the secure browser vendor Authentic8, while acknowledging that General Petraeus makes a compelling case for better coordination of cyber security practices to protect critical infrastructure, felt “His argument that the failure is based on poor coordination and lack of resources doesn’t ring true.” As he explained, “In fact, a simple timeline review of high-profile data breaches within government organizations – from OPM to DNC, and commercial breaches like Sony show that responsible parties were suitably warned of their exposure – by FBI, by OIG, or others. To no avail.”
Terry Ray, CTO of Imperva noted, that the US has many existing regulatory oversight schemes in place for critical infrastructure. As he put it, “I don’t know whether, yet another three-letter agency, even one specifically tasked, would solve this problem, but I do agree that what legislators and existing agencies are doing today is not working. Should we continue to do the same thing, yet expect a different or better outcome?”
“I don’t know whether, yet another three-letter agency, even one specifically tasked, would solve this problem, but I do agree that what legislators and existing agencies are doing today is not working.”
“People I know within the critical sectors acknowledge that things aren’t perfect, but also believe that DHS has made some noteworthy progress in tackling several of the problems raised by General Petraeus,” remarked Katherine Gronberg, Vice President for Government Affairs at the access control and endpoint security company ForeScout. “Having a new, standalone agency may only add to the noise since other existing cyber functions (FBI, DHS, DoD, IC, Energy, etc.) will continue to exist.”
She added, “Similarly, creating a new agency isn’t going to change the fact that our critical infrastructure is owned and operated mostly by private entities. It just gives them a new touchpoint within the federal government that doesn’t have the track record of liaising with the private/critical sectors that DHS has established.”
One major advantage of DHS over a standalone NCA is its “whole hazard” approach to critical infrastructure risks. This was the point of view expressed by Suzanne Spaulding, a former DHS undersecretary who now serves as an advisor to King & Union, the cybersecurity solutions provider. As she put it, “DHS works across multiple agencies and private companies to ensure that goods and services relied on by the US public will be there when they need them.” This might mean coordinating with FEMA and Treasury, for example. An NCA might replicate or complicate such arrangements.
A separate cabinet level agency like the proposed NCA would become a “cyber stove pipe” that actually makes the government’s capabilities more, not less limited.
Spaulding also worried that a separate cabinet level agency like the proposed NCA would become a “cyber stove pipe” that actually makes the government’s capabilities more, not less limited. “There has to be a holistic risk assessment,” she said. She also pointed out that in the inevitable year or two it would take to reorganize and build the NCA, the US would lose cybersecurity focus.
The government cyber conundrum
The question of whether the US needs an NCA reflects a much broader problem, which is the potential (and limits of potential) for government to protect the country from cyber threats. Petraeus and Sridhar are definitely onto something when they say, “The solution isn’t just to try harder. We need to acknowledge that cyberthreats have reached a new level, and that they need to be addressed in a new way.”
What they get right, and what they’re channeling, is the widely held view that the US is fundamentally unprepared and vulnerable. And, that existing efforts, no matter how well-intentioned and thought out, are not adequate for defense. A higher-profile agency might address this issue, but it could easily make things worse. Even the dialogue presented in this article reveals the potential for bureaucratic infighting and disorganization that could achieve the exact opposite of the NCA’s intent.
It’s a conundrum. The government alone can’t make us secure. Industry alone can’t do it, either. Working together is a good idea, but challenging to execute. The real opportunity, which is implied in the Op-Ed, comes from the idea that an individual Director, or a team of respected people, could drive the change we all know we need.
If someone that most Americans trust and respect (like General David Petraeus) stands up and says, “cyber is our number one threat and we’re going to change the way we deal with it,” that might have the desired effect on the government’s cybersecurity posture. On the other hand, if an NCA devolves into another Washington turf battle, it will send things in the wrong direction.
About King & Union
King & Union is a cybersecurity company based in Alexandria, Va., that has built and designed Avalon, a cyber analysis collaboration platform. Visit King & Union at kingandunion.com or email firstname.lastname@example.org for more information.