22 August 2018

The feds keep creating cybersecurity offices and experts say it's not necessarily a good thing

by Anna Giaritelli

Federal agencies have launched several offices and programs since the 2016 election that are intended to secure cyberspace, but some are warning that this is only creating more confusion among the private sector, since President Trump's White House hasn't done enough to help coordinate them. Experts say the existence of a dozen independent cybersecurity operations with overlapping agendas is not ideal, especially since there is only sporadic information-sharing between agencies.


Just last week, for example, Homeland Security Secretary Secretary Kirstjen Nielsen announced the new National Risk Management Center, which is meant to link companies to the government so businesses from all industries know who to contact when they detect a cyber breach.

But some think companies will be hesitant to sign up, because the DHS group is just one of many in the government trying to set itself up as the first point of contact with the private sector.

"I think this announcement didn’t offer the kind of detail that will really be needed in the weeks and months in order to make clear what its role is as opposed to all of the other ones,” said April Doss, who served as lead Democratic counsel for the Senate Intelligence Committee’s probe into Russian interference during the 2016 election.

The DHS group has lots of competition. In February, the Energy Department launched the Office of Cybersecurity, Energy Security, and Emergency Response, or CESER, to serve as the first point of contact for all physical and cyberattacks, natural disasters and man-made disruptions to the energy sector.

The Commerce Department also has a cyber office, and the Department of Health and Human Services in June launched the Cybersecurity Collaboration and Education Center.

There’s also the Director of National Intelligence’s Cyber Threat Framework. The FBI operates the Foreign Influence Task Force, National Crime Information Center, and National Cyber Investigative Joint Task Force.

Doss says it's too overwhelming for companies.

“Some of these cybercenters seem to be focused on particular centers in the economy. That’s one totally appropriate way to do it. This new DHS center seems to be intending to deal with any kind of cyberthreats that come,” said Doss, now partner and chair of the cybersecurity and privacy practice at Saul Ewing Arnstein and Lehr.

“A different perfectly fine approach is to say that DHS or whomever has to lead all public-private interface regardless of what sectors of the economy, and right now we’re trying to do both,” she added.

The effectiveness of these offices in light of their redundant missions will depend on how DHS defines the roles of the new center in coming months and how it coordinates with other agencies.

Vice President Mike Pence seems to be thinking along the same lines. At the DHS cyber summit, he called for legislation that would create a Cybersecurity and Infrastructure Agency within DHS, which would give the department the final say on the matter.

“None of these things individually or in aggregate in and of themselves are sufficient,” said Klon Kitchen, senior research fellow for science, technology, and national security at the conservative Heritage Foundation. "But before determining whether each of these organizations are doing the same work, the Trump administration needs to decide what its overarching goal is, then assign people to carry it out.”

Two men in the White House had been tasked with laying out the administration’s cybersecurity strategy. But four months ago, Trump’s homeland security adviser Tom Bossert and cybersecurity coordinator Rob Joyce both resigned unexpectedly, and the posts have not been filled yet.

“I think there is a need for somebody whose job it is to look across the government,” said Doss. “We don't seem to have that position existing anywhere in the administration.”

Kitchen disagreed and said, while he liked Bossert’s work, having one senior post filled was not going to make or break America’s cybersecurity strategy.

“I don't think the absence of Bossert, who I thought was really good, is the decisive problem. There’s only so much you can do with NSC [National Security Council],” he said.

No comments: