Since December I have been wanting to write about cyber, but realizing this topic is going to be with us for awhile I deferred to more immediate and less controversial topics such as grading DNI McConnell's performance ----- you remember the "gentlemen's B," which I still think is a high mark since I wasn't grading on a curve and his predecessor got an "incomplete" for the course! DNI Blair did his first media availability on 26 March and that is usually good MAZZ- INT fodder, but in the 22 page transcript I didn't see any thing you or I have not already read in the Early Bird!
Anyway, in the background of all the economic news and angst about AIG retention bonuses, the White House 60 Day Cyber Review has been ongoing, Rob Beckstrom resigned as Director of DHS's Cybersecurity Center, the GAO issued a report warning about the nation's cyber posture, the Congress has heard testimony about Cyber Security from subject matter experts, the Air Force has stood up the 24th Air Force, Navy Flag Officers have met to reflect on cyber issues, rumors abound that DoD is about to establish some kind of four star level Cyber Combatant Command (CoCom), private sector consortiums focused on cyber are being announced, and 60 Minutes has spun the nation up about "Conflicker" ------ so now seems like as good as any time for me to inflict my views about cyber on all you that are still reading at this point.
First I am no cyber expert, but I have been playing one on the Cyber Task Force providing a private sector perspective to the Melissa Hathaway led 60 Day Cyber Review that wraps up in mid April and reports out in early May. It was probably my push back to Melissa’s calls during the last administration for industry (you know I prefer private sector) to become more involved with government cyber security that "it was difficult for the private sector to know where it should engage the government on cyber issues" that got me such a good seat for the 60 Day Review. It also brought me into close intellectual contact with the metaphysical questions of who should be in charge of cyber for the government and what would an effective government – private sector relationship look like for cyber.
Both the Business Executives for National Security (BENS) 2008 Cyber Strategic Inquiry (CSI) and the March 10 2009 Government Accountability Office (GAO) testimony to Congress on improvements needed to strengthen the nation's cyber security posture recommend strongly that someone in the executive branch be put in charge of developing and executing a national cyber strategy. Both studies however, defer on making a specific recommendation of who should be in charge, so Mazzafro why don’t you share your "wisdom" with us? I know you didn't ask, but I can't help myself!
When it comes to being in charge of stuff I have a back of the envelop check list that I developed while serving as a Naval Intelligence Officer so let's see if that helps us here:
Ø Does anybody want to be in charge? Seems like almost every agency wants to be in charge of cyber, but not everything that encompasses cyber. There's DoD, the DNI, DHS, Commerce, maybe Justice, and probably parts of the private sector, but none of them want to be responsible for the parts of the cyber domain they are not interested in. Then there is the messy issue of authorities and the private sector's ownership of 85% of the nation's cyber infrastructure. Finally, there are the domestic and global realities of cyber space.
Ø Who has the best qualifications to be in charge? That's easy: today its NSA as no other government organization is even close in terms of capabilities to protect the nation’s cyber infrastructure or to detect and disrupt those planning mischief or worse in
Ø Who should be in charge? Again this seems obvious: DHS because they are responsible for protecting the nation's infrastructure regardless of the modifier and they are also responsible for disaster recovery whether the disaster is environmentally caused or is man-made. Cyber though has a large international component and DHS authorities are somewhat limited here by their "homeland" mission. Broad enough authorities are not the show stopper here; rather, its DHS's lack of cyber expertise to strategize and execute effectively that matters.
Ø Who as the financial resources to be in charge? In this case I believe that would be Fed Chairman Ben Bernake or Treasury Secretary Timothy Geithner but they seem to distracted by allocating bailout resources to banks and business too big to fail. Just kidding, but there is no shortage of agencies wanting a piece of the cyber lottery.
Others have done this analysis in a far more rigorous and sophisticated manner, but have come to the same conclusion that there is no clear-cut best choice for what agency should be in charge of cyber (or the digital infrastructure as some prefer). As a result, the default position seems to be assigning this responsibility to a National Security or Homeland Security Council Deputy. If policy is all the
Since this is the Information Age, rather than standing up a Cyber Czar/Czarina in the White House, a more practical idea to me would be creating up an independent Cyber or Digital Protection Agency that would be similar to the EPA in its administrative reporting to the White House, but would operate along the lines of the NCTC. This new Cyber Protection Agency (CPA) would be funded and staffed from existing agencies cyber related resources and more importantly would embrace all the existing authorities related to cyber that already reside in various agencies through the people detailed from these agencies to the CPA. Once in charge of cyber, the CPA could use the CSI and GAO Report findings and recommendations as it original "to do" list. Not original, but I believe workable based on NCTC’s success. The downer is this would take legislation to accomplish, but if we don't think the cyber problem is serious then leave it to White House functionary or the Chamber of Commerce to oversee voluntary acceptance of reasonable cyber practices.
From here I see the CPA, unlike NCTC, developing regulatory authorities that engages with the private sector the way the FAA does with the airline industry to make cyber space a safe and reliable regime like our nation's air space. One of the attractive features of the FAA is the way it engages all facets of the aviation industry in developing and notices to airman (NOTAMs) and airworthiness bulletins. I am still struck by how quickly and safely the FAA ---- with the cooperation ----- of the airline industry cleared the skies on 9/11, causing me to wonder who could do that tomorrow if an adversary decided to use the strength of our nation's digital infrastructure against us.
That's what I think! What do think?