Thursday, April 02, 2009
Joe Mazzafro

Since December I have been wanting to write about cyber, but realizing this topic is going to be with us for awhile I deferred to more immediate and less controversial topics such as grading DNI McConnell's performance ----- you remember the "gentlemen's B," which I still think is a high mark since I wasn't grading on a curve and his predecessor got an "incomplete" for the course!  DNI Blair did his first media availability on 26 March and that is usually good MAZZ- INT fodder, but in the 22 page transcript I didn't see any thing you or I have not already read in the Early Bird!

Anyway, in the background of all the economic news and angst about AIG retention bonuses, the White House 60 Day Cyber Review has been ongoing, Rob Beckstrom resigned as Director of DHS's Cybersecurity Center, the GAO issued a report warning about the nation's cyber posture, the Congress has heard testimony about Cyber Security from subject matter experts, the Air Force has stood up the 24th Air Force, Navy Flag Officers have met to reflect on cyber issues, rumors abound that DoD is about to establish some kind of four star level Cyber Combatant Command (CoCom), private sector consortiums focused on cyber are being announced, and 60 Minutes has spun the nation up about "Conflicker"  ------ so now seems like as good as any time for me to inflict my views about cyber on all you that are still reading at this point.

First I am no cyber expert, but I have been playing one on the Cyber Task Force providing a private sector perspective to the Melissa Hathaway led 60 Day Cyber Review that wraps up in mid April and reports out in early May.  It was probably my push back to Melissa’s calls during the last administration for industry (you know I prefer private sector) to become more involved with government cyber security that "it was difficult for the private sector to know where it should engage the government on cyber issues" that got me such a good seat for the 60 Day Review.  It also brought me into close intellectual contact with the metaphysical questions of who should be in charge of cyber for the government and what would an effective government – private sector relationship look like for cyber.

Both the Business Executives for National Security (BENS) 2008 Cyber Strategic Inquiry (CSI) and the March 10 2009 Government Accountability Office (GAO) testimony to Congress on improvements needed to strengthen the nation's cyber security posture recommend strongly that someone in the executive branch be put in charge of developing and executing a national cyber strategy.  Both studies however, defer on making a specific recommendation of who should be in charge, so Mazzafro why don’t you share your "wisdom" with us?  I know you didn't ask, but I can't help myself!

When it comes to being in charge of stuff I have a back of the envelop check list that I developed while serving as a Naval Intelligence Officer so let's see if that helps us here:

Ø      Does anybody want to be in charge?  Seems like almost every agency wants to be in charge of cyber, but not everything that encompasses cyber.  There's DoD, the DNI, DHS, Commerce, maybe Justice, and probably parts of the private sector, but none of them want to be responsible for the parts of the cyber domain they are not interested in.  Then there is the messy issue of authorities and the private sector's ownership of 85% of the nation's cyber infrastructure.  Finally, there are the domestic and global realities of cyber space.

Ø      Who has the best qualifications to be in charge?  That's easy:  today its NSA as no other government organization is even close in terms of capabilities to protect the nation’s cyber infrastructure or to detect and disrupt those planning mischief or worse in America's part of the cyber patch.  Will the private sector, to say nothing of voting Americans, be happy with NSA patrolling their networks?  The recent warrantless wiretap FISA debate suggests probably not; and on cue Bruce Schneier says in a March 31st Wall Street Journal OpEd that putting "putting national cybersecurity in the hands of the NSA is an incredibly bad idea."  Does posse comitatus pertain in cyber land?

Ø      Who should be in charge?  Again this seems obvious: DHS because they are responsible for protecting the nation's infrastructure regardless of the modifier and they are also responsible for disaster recovery whether the disaster is environmentally caused or is man-made. Cyber though has a large international component and DHS authorities are somewhat limited here by their "homeland" mission.  Broad enough authorities are not the show stopper here; rather, its DHS's lack of cyber expertise to strategize and execute effectively that matters.

Ø      Who as the financial resources to be in charge?  In this case I believe that would be Fed Chairman Ben Bernake or Treasury Secretary Timothy Geithner but they seem to distracted by allocating bailout resources to banks and business too big to fail.  Just kidding, but there is no shortage of agencies wanting a piece of the cyber lottery.

Others have done this analysis in a far more rigorous and sophisticated manner, but have come to the same conclusion that there is no clear-cut best choice for what agency should be in charge of cyber (or the digital infrastructure as some prefer).  As a result, the default position seems to be assigning this responsibility to a National Security or Homeland Security Council Deputy.  If policy is all the U.S. needs to deal with protecting its cyber (excuse me, digital) infrastructure this should work out fine, but policy execution and operations can be smothered by proximity to the political epicenter of

1600 Pennsylvania Avenue

Since this is the Information Age, rather than standing up a Cyber Czar/Czarina in the White House, a more practical idea to me would be creating up an independent Cyber or Digital Protection Agency that would be similar to the EPA in its administrative reporting to the White House, but would operate along the lines of the NCTC.  This new Cyber Protection Agency (CPA) would be funded and staffed from existing agencies cyber related resources and more importantly would embrace all the existing authorities related to cyber that already reside in various agencies through the people detailed from these agencies to the CPA.  Once in charge of cyber, the CPA could use the CSI and GAO Report findings and recommendations as it original "to do" list.  Not original, but I believe workable based on NCTC’s success.  The downer is this would take legislation to accomplish, but if we don't think the cyber problem is serious then leave it to White House functionary or the Chamber of Commerce to oversee voluntary acceptance of reasonable cyber practices.

From here I see the CPA, unlike NCTC, developing regulatory authorities that engages with the private sector the way the FAA does with the airline industry to make cyber space a safe and reliable regime like our nation's air space. One of the attractive features of the FAA is the way it engages all facets of the aviation industry in developing and notices to airman (NOTAMs) and airworthiness bulletins.  I am still struck by how quickly and safely the FAA ---- with the cooperation ----- of the airline industry cleared the skies on 9/11, causing me to wonder who could do that tomorrow if an adversary decided to use the strength of our nation's digital infrastructure against us.

That's what I think!  What do think?

Share Your Thoughts:

Joe, I like your tackling of this critical National issue in the middle of all that is finally happening in this area. As a technologist, I have worked this from DARPA and follow it closely, and as an NSTAC IES (National Security Telecommunications Advisory Committee) member, I track the work ongoing there. The important issue that you mention of how to secure something that is 85% commercially owned, is the center of the issue.

I helped co-chair an NSTAC task force on International Telcom two yeas ago because of the concern for what might happen to US telco capability given large natural or man made disaster. During the course of that one year effort, we witnessed both the earthquake off Taiwan that broke two undersea cables, and the Estonia cyber war activities. So I agree with your point that what is done must adequately address the public/private partnership required to be effective.

One of the largest issues is information sharing among the commercial players concerned with their own viability and reputation. Because of the efforts of NSTAC, there exists a government industry National Coordinating Center where telco providers work together with government to respond rapidly to telco issues, outages, or other events. The NCC has been in place for years and has the advantage of history and culture behind it. As an interim step to what ever is decided, expanding the activity at the NCC to help mitigate cyber issues is something that should be considered.