CISA can’t succeed in the Pentagon’s shadow

Congress and the Biden administration need to truly empower the civilian cybersecurity agency to drive real and effective change needed to defend the country against punishing cyberattacks.

After President Biden called on Amazon, Apple and Microsoft and other tech giants to increase efforts to defend against the increasingly punishing digital assaults on US critical infrastructure, Google and Microsoft promised some $30 billion to bolster cybersecurity efforts. It was a noble and headline-grabbing pledge and it’ll help. But real and lasting improvements to national cyber defenses won’t come without fundamental change in Silicon Valley and Washington, and Biden should look first at fixing a problem that has stymied the nation’s ability to defend itself in cyberspace for decades.

For far too long, the Department of Homeland Security, which is responsible for overseeing the protection of all the nonmilitary government agency networks, critical infrastructure computer systems used to operate the energy grid, public transportation, and the financial sector, hasn’t been given enough power within the government — and therefore any real sway over the private sector — to implement effective practices and policies to safeguard Americans against attacks such as the Colonial Pipeline takeover, the SolarWinds Orion hack and countless other digital crimes.

Since the department launched its first dedicated cybersecurity center, the National Cybersecurity Center, in March 2008, it has existed in the Pentagon’s shadow and struggled to assert more robust and effective national defenses, gain the respect of the private sector and attract the cybersecurity talent it needs to carry out its mandate. The overwhelming perception is that the Department of Defense continues to call the shots when it comes to national cyber defenses, and as a result businesses don’t always take seriously the advice of DHS or the authority of its relatively new Cybersecurity and Infrastructure Security Agency seriously.

But if the current administration really wants to alter the current cybersecurity dynamic, marshal a whole-of-nation fight to confront digital threats, it needs to embolden CISA so that it can begin to compel businesses and critical infrastructure operators to take the necessary steps that will actually protect the country’s most vital systems and networks. It needs to undo what Rob Beckstrom, a tech entrepreneur, who served as the National Cybersecurity Center’s first director, identified after just a year leading the center. Frustrated by the fact that DoD dominated civilian cybersecurity efforts, he quit in March 2009 after a year on the job. In his resignation letter to then-DHS secretary Janet Napolitano, Beckstrom said that the National Security Agency “effectively controls DHS cyber efforts” and “currently dominates most national cyber efforts.” Beckstrom was alarmed that a military intelligence agency was in charge of too many civilian cybersecurity-related issues, arguing instead there should be “a credible civilian government cybersecurity capability which interfaces with, but is not controlled by, the NSA.”

To Beckstrom, the idea that DHS led civilian cybersecurity efforts was a red herring — a designation intended to suggest there was a division between DoD cybersecurity operations and civilian cybersecurity efforts led by DHS when, in fact, the military was actually in charge of everything.

That tension between the DoD and DHS over government cybersecurity efforts still looms large. Just this summer, the DoD Inspector General issued a report criticizing the ability of the two agencies to work together on cybersecurity, pointing to the SolarWinds compromise as evidence of how important it is to foster better coordination and communication between DoD and DHS.

Just as Beckstrom feared more than a decade ago, the NSA — and its closely related counterpart Cyber Command — still employ most of the technical talent in government, still hoard technical vulnerabilities like EternalBlue and get to decide whether or not to disclose those for the purposes of securing civilian networks, and are still the most respected authorities in the federal government on how to respond to and mitigate cyberattacks. Biden’s decision to appoint former military personnel to the highest cybersecurity positions within DHS and the White House could help bridge the gap between the two agencies — but it could also reinforce this sense that the military retains most of the relevant control and expertise in cybersecurity and still sets the agenda.

Bringing military expertise to bear on civilian infrastructure isn’t necessarily a bad thing — in fact, it may be a very good thing if it means that infrastructure receives stronger protections and more attention.

There is a real risk, however, when it comes to blurring the distinctions between military and civilian cybersecurity. The top priority of civilian cybersecurity is defense — protecting critical infrastructure from cyberattacks and breaches. That means that any vulnerability that could be used to infiltrate those systems, any technique or tactic that could lead to their compromise, would ideally be disclosed to infrastructure operators or software manufacturers in order to be patched.

The military, however, has to balance that defensive objective with its mission to develop offensive cyber capabilities — capabilities that are bolstered by keeping those same tactics and vulnerabilities secret, so they can be used against adversaries in the future. Historically, the US has been better at offense than defense in cyberspace, in part, perhaps, because the latter is more challenging, but also partly because there do not seem to have been strong advocates for disclosure and defense within the government who can effectively stand up to military interests.

At the same time, the series of successful ransomware attacks on civilian targets indicates that DHS has largely failed in its mission to secure non-military infrastructure, engendering even greater distrust of the agency and its expertise both inside and outside the government. At the heart of the power struggle between DHS and DoD over cybersecurity is the question of which of these agencies has the most influence over decisions that weigh civilian priorities against military ones and who public and private sector officials actually trust to secure complicated, critical computer networks.

The military, for its part, has long disavowed any interest in controlling civilian cybersecurity. The month after Beckstrom’s resignation, then-NSA director Keith Alexander told an audience at the RSA Conference that his agency did “not want to run cybersecurity for the US government.” Not long after that, the DoD created Cyber Command, which works closely with the NSA to oversee military cyber operations. Over the course of the decade that followed, DHS and DoD continued to navigate a complicated and oftentimes tense relationship surrounding the question of which department had responsibility and expertise over different cybersecurity issues and incidents.

A set of interdepartmental memorandums intended to clarify that relationship and improve coordination and cooperation on cybersecurity across the two departments largely served to heighten the tensions between the two organizations most focused on cybersecurity in the US government. These memorandums, intended to make it easier for the two departments to exchange employees and rely on each other for support, fueled perceptions both within and outside the government, that all of the real power and expertise in this domain lay with the DoD, and DHS had been relegated to the role of relying on DoD personnel and assistance in its own broad mandate to oversee civilian cybersecurity efforts.

DHS Secretary Alejandro Mayorkas (left) participates in swearing in of CISA director Jen Easterly. Photo by Benjamin Applebaum and courtesy of DHS

Last month, the US Senate confirmed Jen Easterly as the director of the Cybersecurity and Infrastructure Security Agency. A former NSA official, Easterly helped launch Cyber Command, and it’s possible to interpret her new position as a sign of just how far the two departments have come in finally being able to work together and how well established and respected the DHS cybersecurity operations finally are. But it’s also possible to view Easterly’s installation as yet another sign that, as Beckstrom cautioned more than a decade ago, DoD personnel continue to control most civilian cybersecurity efforts and the US government continues to struggle with trying to make a clear and even division between its military and civilian cybersecurity operations. What’s more, the top cyber officials at the White House — Chris Inglis and Anne Neuberger — are also both former NSA officials.

Part of the problem stems from the fact that distinguishing between civilian and military cybersecurity is not always straightforward. Technically, the DoD is responsible for protecting all military networks and computers while DHS is responsible for overseeing the protection of just about everything else. That sounds simple enough, but cyberattacks on civilian critical infrastructure by foreign powers blur the lines of who’s in charge and whether a military response is warranted. For instance, when Russian hackers targeted Colonial Pipeline, there was some speculation that the NSA and Cyber Command might have engineered that response (a claim the US government later denied).

Besides the ambiguity around what types of cyberattacks warrant primarily civilian — as opposed to military — responses and remediation, DHS has also, for years, struggled with trying to hire employees with technical backgrounds and expertise. From the outset, DoD (and especially the NSA) had the advantage of already employing a large number of mathematicians and computer scientists, being able to hire technical personnel at a higher pay scale than its nontechnical employees, and having several internship and scholarship programs for STEM students that provided a pipeline of technical talent. So from the earliest attempts to foster more collaboration across DoD and DHS, part of the emphasis was on bringing more DoD personnel with technical expertise to DHS to help ramp up civilian cybersecurity operations. The 2010 memorandum of agreement between DHS and DoD included provisions for exchanging personnel and Congress later authorized a pilot program for the DoD to detail technical personnel to DHS “to enhance cybersecurity cooperation, collaboration, and unity of Government efforts.”

While these efforts and memoranda were well intentioned and even helpful in getting DHS cybersecurity efforts off the ground, it was not lost on people in either department that all of the assistance and cooperation only seemed to go one way: from the DoD to DHS. The NSA and Cyber Command detailed employees to DHS, and shared cyber threat indicators with DHS, and helped DHS develop a cyber action plan and a process for DHS to request DoD assistance and a set of cyber exercises. Meanwhile, DHS seemed to be playing a largely supporting role, receiving help and acting as the pupil to the older and wiser DOD and relying heavily on the Pentagons’s expertise, personneland guidance.

Even as recently as this summer, the DoD issued an audit on how well the cybersecurity memorandums between DHS and the Pentagon had been implemented and identified a need for a clearer implementation plan for the most recent memorandum, issued in 2018. Without such a plan, the DoD might not be able to provide “the level of assistance to the DHS needed for the DoD and the DHS to conduct joint operations to protect critical infrastructure; support state, local, tribal, and territorial governments; and jointly defend military and civilian networks from cyber threats,” the audit concluded. Still, in 2021, the assumption is that the DoD will have to provide assistance to DHS, and not the other way around.

Beckstrom’s fear in 2009 that the DHS cybersecurity mission would be given to the NSA to direct no longer seems plausible. DHS has held onto its role of leading civilian cybersecurity and reincarnated the National Cybersecurity Center in several different forms since 2009, including, most recently, as CISA, the agency Easterly has just been confirmed to lead.

Ideally, her appointment helps bridge the enduring gap between DoD and DHS and the persistent sense that DHS is the inferior agency when it comes to cyber expertise and capabilities. But part of combating that perception will mean helping DHS establish itself more clearly and demonstrably as an independent, effective and trustworthy entity. That will go a long ways to preparing the country for a future that will bring even more punishing cyberattacks.