Momentum is building for a new cybersecurity agency in the Homeland Security Department. The idea initially proposed by Rep. Mike McCaul (R-Texas), chairman of the Homeland Security Committee, received some crucial support on March 22 when two former federal cyber executives threw their weight behind the idea.
“I think that taking National Protections and Programs Directorate (NPPD) out of being a headquarters function, which it is clearly not, and making it into a line agency within DHS along with the other functions DHS has and prioritizing that makes a great deal of sense,” said Michael Daniel, former cybersecurity coordinator for President Barack Obama and now president of the Cyber Threat Alliance. “I think continuing the holistic focus on our critical infrastructure and federal civilian agencies also makes a great deal of sense, and that would put DHS on a more solid foundation to partner with the Defense Department and the Justice department in doing their mission.”
But maybe the roots of the change that’s needed to improve federal cybersecurity already have started to sprout.
Retired Gen. Keith Alexander, the former head of the National Security Agency and U.S. Cyber Command, said while he agreed with the idea to create a new cyber agency at DHS, lawmakers should go further.
“I think you need to look at the civilian part of government, look at the IT and cyber, it’s not sufficient. They don’t have the resources. They will never get the people. Consolidate that into a Defense Information Systems Agency-like organization and put that under somebody,” said Alexander, who now is president and CEO of IronNet Cybersecurity. “That organization would be responsible for protecting government. DHS would be responsible for protecting DHS and working with the rest of that.”
The concept of a DISA-like organization for civilian agencies is interesting, especially in light of the collaboration between DHS and the General Services Administration on the Continuous Diagnostics and Mitigation (CDM) program. DHS is running the technical side and GSA is running the acquisition side of the program.
DISA is well respected for bringing together both the acquisition and technology worlds around cyber and IT, along with a lot of input and help from the military services and agencies.
Taking Alexander’s idea one step further, a new cyber agency could bring together the expertise of DHS’ Federal Network Resilience — which includes CDM, the EINSTEIN program, the Automated Information Sharing (AIS) program and many others — the U.S. Computer Emergency Readiness Team (US-CERT) — which includes the blue and red teams that test agency networks — and the National Cybersecurity and Communications Integration Center (NCCIC) along with GSA’s expertise in cybersecurity acquisition from FEDSIM in the Federal Acquisition Service.
By taking the best of both worlds, lawmakers would create an organization that meets the holistic goal Daniel discussed. Too often the acquisition side of the equation is overlooked or forgotten when setting up new agencies or organizations. If Congress would have mandated DHS have one procurement organization for when they created it nearly 15 years ago, think of the money, time and effort it would have saved.
Now let me be clear here, the CDM program, EINSTEIN and other programs are not perfect. They have struggles that both DHS and GSA recognize and are trying to fix (see my other notebook story on CDM).
Lawmakers also should not forget a well-worn talking point that the future of cybersecurity tools and software will come from industry, not the government. This means this new cyber organization has to have a strong and fine-tuned acquisition arm to be successful.
In addition to Daniel and Alexander, the Cybersecurity Commission for the 45th President, sponsored by the Center for Strategic and International Studies (CSIS), also recommended the creation of this new organization.
Additionally, this new organization would be the public face when dealing with a cyber attack and be able to work closely with DoD and the FBI.
Alexander told the committee that having that one cyber civilian belly-button to push also would let DoD, the FBI and this new agency conduct training exercises to better sort out the rules of engagement.
“My experience from being on the offense is the offense always wins because the defense is terrible,” Alexander said. “We can fix the defense by getting government and industry to work together. I think DHS should have the lead. I think we should bring in parts of the intelligence community and the military into those meetings to talk with industry so they know this is an all-of-government approach.”
McCaul said he intends to pass legislation this year to prioritize the creation of a cyber agency in DHS and already has begun to work with the Trump administration and others.
Daniel said he would like to see the EO continue “to emphasize a risk-based approach to cybersecurity” because no one can “protect everything all the time.”
He said the EO also should “focus on moving a lot of the cybersecurity mission out of all the hands of all of the federal civilian agencies, but retaining accountability for protecting their information but indicating they don’t have to be doing all the protecting themselves and finding ways to do shared services across the federal civilian side. That is incredibly important.”