Analysis & Opinions - Politico

The Case for a National Cybersecurity Agency

| Sep. 05, 2018

Recent reports that Russia has been attempting to install malware in our electrical grid and that its hackers have infiltrated utility-control rooms across America should constitute a significant wakeup call. Our most critical infrastructure systems are vulnerable to malicious foreign cyberactivity and, despite considerable effort, the collective response has been inadequate. As Director of National Intelligence Dan Coats ominously warned, “The warning lights are blinking red.”

A successful attack on our critical infrastructure — power grids, water supplies, communications systems, transportation and financial networks — could be devastating. Each of these is vital to our economy, health and security. One recent study found that a single coordinated attack on the East Coast power grid could leave parts of the region without power for months, cause thousands of deaths due to the failure of health and safety systems, and cost the U.S. economy almost $250 billion. Cyberattacks could also undermine our elections, either by altering our voter registration rolls or by tampering with the voting systems or results themselves.

Cyberthreats have changed dramatically in recent years, but our national approach to cyber defense has not. The Department of Homeland Security is currently the federal entity responsible for protection of critical infrastructure from cyberattacks; however, although Secretary of Homeland Security Kirstjen Nielsen has pursued a number of commendable cybersecurity initiatives, her agency has such a vast portfolio of responsibilities that it can’t possibly give cybersecurity the attention and resources it requires. The department’s cybersecurity strategy was submitted over a year late, the organization lacks a sufficient “brand” to recruit and retain top talent, and many companies have proven reluctant to collaborate with it.

Outside Homeland Security, the national response has been piecemeal. There have been numerous initiatives by federal, state and local governments, as well as by critical infrastructure operators themselves, to improve their respective cybersecurity postures, but these efforts have been hampered by a lack of coordination and resources.

The solution isn’t just to try harder. We need to acknowledge that cyberthreats have reached a new level, and that they need to be addressed in a new way. The time has come to establish an independent National Cybersecurity Agency to take the lead in protecting our critical infrastructure.

A standalone agency would be much more focused, capable and empowered than the current grab bag of governmental initiatives. As the head of an independent agency, the director would report directly to the president and have the ears of members of Congress to get much needed legislation. The prestige of a new agency and the cultural shift it would drive would also allow it and, hopefully, the rest of government to build the public-sector talent base we need. The market for cybersecurity expertise is intensely competitive, and DHS has experienced challenges recruiting and retaining top professionals in the field.

The NCA would fill yet another critical need in providing an effective coordinating body with the authority to convene companies and government agencies at all levels. This is particularly important as the government’s cyber response has become even more siloed since the elimination of the Cyber Coordinator role in the White House.

There are five tasks on which a National Cybersecurity Agency would need to focus.

Authority. An independent agency would speak for the entire executive branch to Congress and work with legislators to gain legislation, funding, other resources and authorities needed to effectively oversee cybersecurity of our infrastructure. An NCA likely would find a receptive audience among Washington policymakers: Members of both parties agree that the government needs to do more to shore up cyber defenses, but without a coordinating agency, it’s hard for them to know how to help.

Oversight. No agency currently has the ambit to regulate fully all critical infrastructure providers, and many federal, state and local authorities haven’t fully exercised their authority either. In the absence of sufficient oversight, many critical infrastructure operators—85 percent of whom are private—haven’t made the requisite investments to safeguard their most important operations. The NCA wouldn’t supplant existing regulators with sector-specific expertise; rather, it would build upon existing private-public security collaborations—which have proved particularly successful in the financial industry—by gathering industry regulators and leading companies to develop standards and protocols. Compliance and enforcement could remain in the hands of relevant agencies and offices—the Treasury Department for banks, FERC for utilities, and so on – but be overseen by the new NCA.

Investment. Cyber weapons have developed faster than cyber defenses of critical infrastructure systems and software, leaving serious vulnerabilities. The NCA’s funding and relationships with industry could help close this gap, as well.

Information sharing. The cyber battlefield is a quickly changing landscape, and it is crucial for companies, utilities and other affected parties to have access to the latest knowledge about threats and defenses. When it comes to information-sharing, however, a study by the Government Accountability Office documented a complex regime of inadequately defined agency roles and insufficient resources and knowledge. Looking back at 9/11, it’s clear that lapses in communication prevented law enforcement and intelligence agencies from thwarting the attacks. Today, ineffective information-sharing leaves the U.S. similarly vulnerable to cyberattacks. The NCA would be the single clearinghouse needed by government and industry, coordinating real-time updates on attacks, threats, and vulnerabilities.

Talent. Hiring people with cybersecurity skills is among the biggest recruiting challenges for the public sector; Harvard’s Belfer Center estimates that the federal government alone has a deficit of 10,000 cybersecurity professionals. A dedicated Cabinet-level agency with a culture built specifically around cyberthreats and security would change that equation. The NCA could help deepen the talent pool by establishing training programs for talented young people; it also could embed private-sector employees in cyber roles for fixed and flexible durations, where they could engage in meaningful work, some of which is not possible—or legal—outside of government. These types of initiatives would make the NCA a highly sought-after destination for talent, like the Cyber Bureau in Israel or the CIA and NSA in the U.S.

Many analysts have described cyber weapons as the 21st century equivalent of nuclear bombs. Though there obviously are important differences, the analogy is not unreasonable, as the most powerful cyberattacks would, like nuclear explosions, inflict enormous damage. To confront the threats posed by the onset of the Cold War and the prospect of Soviet nuclear weapons, President Truman signed the National Security Act of 1947, which created the Department of Defense, the CIA and the National Security Council. These organizations played a vital role in developing and implementing the strategy that prevailed in the Cold War and continue to serve our country well today.

The U.S. now needs similar reform to confront mounting threats in cyberspace. Only an independent National Cybersecurity Agency would have the authority to gain the necessary legislation, coordinate regulation, increase investment, strengthen information sharing and assemble America’s technical talent to protect the nation’s infrastructure from cyberattacks. We must act before it is too late.

For more information on this publication: Please contact the Belfer Communications Office
For Academic Citation: Petraeus, David.“The Case for a National Cybersecurity Agency.” Politico, September 5, 2018.