U.S. launches yet another cybersecurity agency, just in case 23 aren’t enough

There’s a reason the “too many cooks ..,” cliché is a cliché. It’s almost always true. Too many people working on the same task can (and often does) degenerate into conflict and chaos. The job, if it gets done at all, gets done poorly.

Perhaps the U.S. government will be the exception to that rule. But it looks like it will take some serious organizational leadership and cooperation to do an effective job protecting the nation against cyberthreats, given the number of “cooks” involved.

There wasn’t a huge media splash last month when the State Department announced the launch of its new bureau of Cyberspace and Digital Policy (CDP). But according to the announcement on the bureau’s website, its mission is to “address the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.”

The CDP bureau includes three policy units: international cyberspace security, international information and communications policy, and digital freedom.

Sounds good. Who doesn’t want digital freedom and security? And there’s no debate that there are national security risks and economic opportunities (and risks) to the nation from the online world.

It’s just that there are already 23 federal agencies with cybersecurity responsibilities, according to a 2020 report by the General Accounting Office (GAO). They include the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS); the Office of Management and Budget (OMB); the Department of Defense; intelligence agencies including the FBI, CIA, and National Security Agency (NSA); the Department of Justice; and the Commerce Department.

Among their roles and responsibilities are “developing policies, monitoring critical infrastructure protection efforts, sharing information to enhance cybersecurity across the nation, responding to cyber incidents, investigating cyberattacks, and conducting cybersecurity-related research,” according to the GAO report.

So why create yet another agency tasked with setting policy, when the first item on the GAO’s list of responsibilities for multiple existing agencies is “developing policies”?

No streamlining here

Especially since the White House created the position of National Cybersecurity Director in April 2021, and one of its chief tasks, according to U.S. Comptroller General Gene Dodaro, is to “identify opportunities for clarifying and streamlining the bureaucracy.”

Adding another agency would, of course, expand the bureaucracy, which raises the obvious question: Why can’t nearly two dozen existing agencies handle the responsibilities assigned to this new one?

Indeed, in some cases it looks like they already are. A primary task of the OMB is “approving and enforcing security requirements placed on federal agencies by the Federal Information Security Modernization Act (FISMA).” The National Institute of Standards and Technology provides standards (which amount to policy) against which FISMA requirements are developed.

And the nation’s intelligence agencies are focused on both domestic and international cyberspace security.

Joel Harding, a retired military intelligence officer and information operations expert, said there are indeed way too many “cooks” involved in federal government cybersecurity. But he also said the reality is that an agency like the CDP is necessary “because of the nature of the beast known as the Washington bureaucracy. We do not play well with others,” he said. “No agency, department, or bureau wants to be told how to do cybersecurity.”

Emile Monette, director, government contracts and value chain security for Synopsys, also sees that potential problem — likely turf battles between the new CDP and other agencies.

Monette said the Diplomatic Security Service (DSS) is in charge of protecting the State Department’s information and information technology (IT) assets at more than 270 locations around the world, including “a global cyber infrastructure comprised of networks and mobile devices.”

That suggests that “the new bureau will be externally focused instead of on the [internal] cybersecurity of the department itself,” he said.

But Monette noted that CISA also has international cyber responsibilities and authorities, many of which are detailed in the CISA Global strategy document.

Misson overlap

“The potential mission overlap between the entities could mean the creation of CDP will result in some infighting between CISA and State over which organization has ownership of a given international cyber issue,” he said. “So it will be interesting to see how the CDP interacts with CISA in particular.”

The State Department website says it is charged with “…leading the U.S. government’s efforts to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation.”

“So that seems to be the swim lane the new bureau will operate in,” Monette said. “Logically, it would follow that it would need to be deeply involved with the administration and the various departments and agencies and congressional committees that have responsibilities for cyber across the federal government to form the positions that underpin the stated policy efforts.”

The CDP bureau could not be reached for comment. The “Contact Us” link on its website led to a State Department page. An inquiry sent through that page generated an auto response to contact the Office of the Coordinator for Cyber Issues, but the link provided to do so simply brought up the same State Department page that had generated the auto response.

And while there is more detailed information on the CDP website about the focus of the three different teams within it, there is nothing about budget, staff, or chain of command.

Presumably the CDP will report to the Secretary of State, but it is not clear if it goes beyond that, to National Cyber Director Chris Inglis, whose position was created last year at least partially in response to the 2020 GAO report, titled “Cybersecurity: Clarity of leadership urgently needed to fully implement the national strategy.”

According to that report, “Without a clear central leader to coordinate activities, as well as a process for monitoring performance of the Implementation Plan activities, the White House cannot ensure that entities are effectively executing their assigned activities intended to support the nation’s cybersecurity strategy and ultimately overcome this urgent challenge.”

Harding said structurally Inglis is in charge, “but this is Washington D.C. Agencies, organizations, departments, entities do not feel the need to march in lockstep with the cybersecurity czar,” he said. “It’s partly a ‘not invented here’ syndrome — not our idea, or we don’t view ‘it’ as benefitting us.”

“It’s been this way for many decades, and I don’t see a cure other than strong leadership and establishing a universal beneficial process accompanied by protection of data and incident sharing,” he said.

Inefficient and ineffective

He’s not the only one who sees it that way. Glenn S. Gerstell, senior adviser at the Center for Strategic and International Studies and former general counsel of the NSA and Central Security Service, wrote in the New York Times in March (nine months after Inglis became National Cyber Director) that “the decentralized nature of the American government does not lend itself to fighting foreign cyberthreats. Government agencies handle cyber regulation and threats in the sectors they oversee — an inefficient and ineffective way to address an issue that cuts across our entire economy.”

Gerstell noted that in recent months, “the DHS’s Transportation Security Agency announced new cybersecurity requirements for pipelines and railroads; the Federal Communications Commission put out its own proposal for telecommunication companies; the Securities and Exchange Commission voted on rules for investment advisers and funds; and the Federal Trade Commission threatened to legally pursue companies that fail to fix a newly detected software vulnerability found in many business applications.”

“And on Capitol Hill, there are approximately 80 committees and subcommittees that claim jurisdiction over various aspects of cyber regulation,” he wrote, adding, “These scattered efforts are unlikely to reduce, let alone stop, cybercrime.”

So what are the chances that adding the CDP to the two dozen agencies already involved with cybersecurity will help achieve the goal of effective execution? Or will it simply make the bureaucracy more sprawling and unwieldy? Obviously, since it’s brand new, that remains to be seen.

The CDP goals are obviously well intended. Its cyberspace security team focus is “to promote cyberspace stability and security and protect U.S. national security interests in cyberspace (and) work with like-minded states to execute coordinated responses to malicious cyber activity.”

On international information and communications policy, its goal is to enable “a connected, innovative, and secure digital economy that reflects the United States’ collective interests and values.”

And the digital freedom team intends to work at the “nexus of privacy, security, content moderation policy, tech platform regulation, human rights, and civic engagement […] promoting Internet Freedom.”

Nobody in charge?

But it’s likely that it will take some internal diplomacy to sort out the CDP role so it complements, rather than conflicts, with other agencies.

“CISA has been engaged with international partners on cyber — on both operational and policy matters — for many years,” Monette noted.

And Harding said while he thinks things will ultimately get better, they may have to get worse first.

“It just feels like nobody is in charge,” he said. “We struggled with this 25 years ago and continue to have no central authority, all to avoid centralized purse strings and no external parameters encroaching on our entity. It will take some catastrophe for us to fix the problems. Then our cybersecurity apparatus will develop a concept greater than self.”