Who’s responsible for protecting the 2020 presidential elections against cyber attacks?
Nobody really knows, either inside or outside the U.S. government. To be sure, many agencies are hard at work combating cyber threats, but when it comes to fighting increasingly urgent threats in cyberspace – from attacks on our elections to hacks into the data stores of our largest companies – there is simply no one steering the ship. Instead, our government is confronting cyber threats through a largely incidental blend of overlapping agencies and authorities.
Congress and the Administration can fix this by creating a standalone agency, with the requisite mix of law-enforcement and intelligence authorities, to serve as the single source of threat information and investigations into network intrusions directed against the U.S. This would inject structure, coherence and accountability into our government’s approach to the cyber domain.
Just how disorganized is the current approach? Take as an example a partial list of who’s responsible for what in cyberspace: The FBI, whose Cyber Division one of us directed in the lead-up to the 2016 presidential elections, and the Secret Service investigate malicious cyber activities taking place in the U.S., while the National Security Agency, along with other elements of the intelligence community, collect intelligence on cyber activities overseas. The Defense Department, meanwhile, disrupts malicious activities when a military response is required. And the Department of Homeland Security, acting through the newly renamed Cybersecurity and Infrastructure Security Agency, serves as the nation’s “risk advisor.” That’s not even taking into account the roughly half-dozen standalone “intelligence centers” – like the CTIIC or the DC3, to name just two – tasked with tracking all these different activities.
This approach is costly, not just in diminished effectiveness but also in real terms. Taken together, for example, the federal government requested a total of $11 billion in 2020 for all these cyber activities. That sum is about $2 billion more than the entire annual budget of the FBI, which, as the nation’s largest law enforcement agency, is tasked with investigating all federal crimes.
So what would a single cyber agency look like in practice?
To start, both cyber investigations and intelligence operations would be the sole domain of this new agency. The 2014 attack on Sony, for example, would have been handled entirely by the new agency, as would the 2016 efforts to interfere with our elections and the other hacks that have dominated the news cycle before fading into our collective memory. The agency would also be responsible for cyber operations designed to collect intelligence on or influence the behavior of our adversaries overseas. The agency would be relatively slim and mission-focused, bearing more similarities to the FBI or CIA than bureaucratic behemoths like DHS.
Where cyber capabilities are not central to the crime or the operation, the new agency would serve as supporting experts to other agencies – outside of activities like network intrusions, the creation of malware or data theft, for example, computers still do play an enabling role in numerous other crimes. And because network intrusions are all, at root, crimes, the new agency would report directly into the Department of Justice, helping to ease the transition when criminal cases are handed off for prosecution – similar to the Drug Enforcement Agency, the Bureau of Alcohol, Tobacco, Firearms and Explosives and other agencies focused on domain-specific activities.
By creating a new cyber agency, Congress would also be admitting another critical truth: The James Bonds and Jack Bauers of the information age don’t need guns and bullets. What they require instead is deep technical expertise – they must understand the intricacies of software, the insights that can be culled from data and the adversaries who use these powers to cause us harm. It is for many of these reasons that Israel, a leader in the field of cybersecurity, unified all of its cyber capabilities into one single government agency last summer.
Our nation’s military came to a similar conclusion regarding aerial warfare in 1947 with the creation of the Air Force – an official acknowledgement that a new domain of conflict required its own agency, charged with fostering domain-specific expertise. The same is true of cyberspace today: New threat actors pose increasing risks to our security, while our existing bureaucracy, which was built to prioritize other missions, is ill-equipped for the depth and breadth of the threats we currently face – threats that will only be exacerbated by 5G, artificial intelligence and other technologies that have yet to be fully adopted.
Some may view the creation of a new agency as an extreme measure, preferring a new layer of bureaucracy, or a new position like a “cyber czar,” to help coordinate the government’s response to threats in cyberspace. We fear, however, that this approach will only lead to more confusion and ultimately an untenable – and unacceptable – preservation of the status quo.
Imposing unity upon our existing bureaucracies will be no easy feat. Our current cybersecurity posture is largely a result of long-running compromises between the Defense, Justice and Homeland Security Departments and their respective oversight committees on Capitol Hill. Standing up a new agency would be painful for many of these groups, requiring the forfeiture of existing authorities, budget and some of each agency’s most prized personnel.
But Congress’ creation of the Cyberspace Solarium Commission in August, a bipartisan committee of legislators, administration officials and security experts tasked with forging a new consensus around our approach to cybersecurity, illustrates that our government is finally willing to make concrete, difficult decisions on this issue.
After years of watching cybersecurity threats grow, the choice has now become clear: Protect what we care about in cyberspace, or don’t. Our security, our privacy and so much more are at stake.