August 31, 2011

Cyberspace Threats Often Blur Government Agency Lines

When a threat to the nation arises from cyberspace, who you should call isn’t always clear.

Since the Sept. 11, 2001, terrorist attacks, years of bureaucratic battles among federal agencies over primacy in cybersecurity — mostly between the Department of Homeland Security and the National Security Agency — seem to have settled into a working, if not always perfect, relationship. But it may be that an imperfect system is the best we can hope for, given the nature of the Internet.

"Identity on the Internet is almost impossible to authenticate," said Travis Sharp, a fellow at the Center for a New American Security in Washington, D.C., and co-author of a recent report entitled "America’s Cyber Future: Security and Prosperity in the Information Age."

In plain English, that means it's very difficult to tell whether a cyberattack is an act of war by a rival government, or simply criminal mischief — even though getting the correct attribution is crucial to deciding what kind of response the government should take.

Who's in charge here?

For example, a military response might seem obvious in case of a cyberattack on a Department of Defense network or facility. But if the attack happened to come from within the United States, it would fall under criminal statutes. And thanks to the fact that "spoofing" an online identity is almost trivial, an attacker can tie up the American government in legal and logistical knots.

In such situations, which agency takes the lead becomes important. For example, whether the National Security Agency (NSA) should play a lead role in some situations — or even be directing all cybersecurity efforts — is still under debate.

Rod Beckstrom, the first director of the Department of Homeland Security's National Cyber Security Center (NCSC), cited infighting with the NSA when he resigned in 2009 after about a year on the job, specifically the NSA's efforts to have the NCSC moved to the NSA's headquarters.

Beckstrom's replacement at the NCSC, Phil Reitinger, lasted twice as long. He suddenly resigned in May 2011, saying he had accomplished what he wanted to do in the job and wanted to spend more time with his children.

The NSA has asked to take a lead role in cybersecurity, but many within the government were and are wary because of the agency’s dubious past record on privacy and civil liberties — notably its secret warrantless wiretapping program, which was exposed by the New York Times in 2005.

Sharp says the Obama administration has made it clear it sees DHS, not the NSA, as the lead agency on cybersecurity.

Too many cooks?

Yet that doesn’t tell the whole story. James Lewis, a director and senior fellow at the Center for Strategic and International Studies in Washington, notes that four different federal agencies deal with cybersecurity.

The Department of Defense (DoD) has its own cybersecurity division that deals with attacks on its networks, and the NSA is at least nominally part of the DoD. The State Department concerns itself with diplomatic security, the FBI with law enforcement, and DHS with counterterrorism.

The agencies are supposed to coordinate their effort through the president’s cybersecurity coordinator, Howard Schmidt — the “cybersecurity czar” who was named to the post in 2009.

"Howard [Schmidt]’s job isn’t as strong as he would like,” Lewis said. “But it has had a good effect."

Schmidt's office also doesn’t have the budget or staff that he would like, Lewis adds.

In the last three years, however, the various agencies have done better at coordinating and sharing expertise, Lewis said.

He noted that NSA Director Gen. Keith Alexander, who was made head of the DoD's new U.S. Cyber Command in early 2010, has since testified that interagency cooperation on cybersecurity is better than it was a few years ago. Gordon Snow, assistant director of the FBI’s Cyber Division, said the FBI has been working jointly with DHS more.

It isn’t as though there is no certainty at all about agency parameters. Both Lewis and Sharp noted that the DHS seems to be the umbrella agency for private industry that operates overseas — a kind of "public face" for U.S. cybersecurity efforts. That gives trading partners confidence, which is no small thing.

The lack of interagency cooperation goes back decades, but was made especially visible in the wake of the Sept. 11 attacks. The FBI, CIA and law enforcement were criticized for not speaking to each other enough to "connect the dots," and there were allegations that the CIA knew the whereabouts of the attack plotters but did nothing to alert the FBI.

DHS was created in part to solve such problems. Since then, the issue of how to get various divisions of the government to work together has been a source of tension within the federal bureaucracies.

Strength in disorganization

Then again, such cooperation might not always be desirable. Sharp noted that it's actually alien to the U.S. government in general, and that in the world of cybersecurity, there are several reasons an overarching agency might actually be a bad idea.

The Internet, Sharp notes, is decentralized. The military and intelligence agencies realized this and took steps to move decision-making downward, to lower-level operatives who can make decisions quickly. The downside of this is that without direction from the top, a low-ranking person can end up escalating a situation and making things worse.

In the face of a distributed threat, having a cybersecurity coordinator in the White House acting as a clearinghouse for the various independent agencies, may be the best approach.

After all, both Sharp and Lewis note that different agencies have different areas of expertise and of ability.

"The FBI can do things nobody else can do," Lewis said.