A new cabinet-level agency could help—if officials have learned the lessons of Homeland Security.
By
H. Rodgin Cohen and John Evangelakos
July 11, 2017 6:17 p.m. ET
The prospect of a “cyber 9/11” grows likelier every day. In May the WannaCry ransomware attack, affecting hundreds of thousands of computers, disrupted health care and telecommunications across the world. American investigators now believe Russian hackers precipitated the continuing Gulf diplomatic crisis by planting false news stories on the Qatari state news agency’s website. And late last month another ransomware outbreak, Petya, went global.
Cyber attacks have become capable of much more than stealing consumer information or embarrassing business executives and politicians. Whether conducted by lone wolves or nation-states, they can compromise the safety of medical, food and water systems, disrupt transportation, or even destabilize nuclear plants. Such attacks can undermine democratic institutions or encourage violence by spreading false information. The cyber threat has become existential.
Enhanced cybersecurity controls from private and public organizations are necessary but insufficient. The problem has not been a lack of action. It is the multiplicity of programs and division of responsibility that diminish their effectiveness. At least 11 federal agencies bear significant responsibility for cybersecurity: the Central Intelligence Agency, National Security Agency, Department of Homeland Security, Treasury Department, three branches of the military, and three federal banking agencies.
Congress should merge these disparate cybersecurity programs into one cabinet-level agency that also serves as the focal point for collaboration with the private economy. Call it the Department of Cybersecurity. This would be an extraordinary and risky measure, requiring careful implementation. But the magnitude of the danger and the limits of America’s current ability to defend against the cyber threat compel a bold response. Some leaders in government and business say they doubt this kind of unification is feasible, but very few have questioned whether it is desirable.
Lessons from the creation of the Department of Homeland Security 15 years ago can help Congress and the president implement the idea more smoothly. What to avoid? Fragmented congressional oversight—more than 100 committees and subcommittees oversee the DHS. Constant bureaucratic turf battles have hurt the DHS’s effectiveness. As did raising public anxiety while failing to provide concrete instructions for action: Initiatives like the DHS daily color codes should be avoided.
The new agency would need a clearly defined mission, consolidation of reporting into a limited number of congressional committees, and an independent, expert body providing a periodic review to ensure accountability. There is also an opportunity for the new agency to be formed in a more deliberate way, drawing on leadership from the private economy to promote efficiency and cost-effectiveness.
Most important, the new agency should be led by someone with demonstrated management skills who is fully empowered to bring all the strands of cyberdefense together and to create a credible threat of retaliation. Leading candidates that come to mind are former NSA Chief Keith B. Alexander, former Assistant Treasury Secretary Leslie Ireland, Scott Charney of Microsoft and former Vice Chairman of the Joint Chiefs of Staff Edmund P. Giambastiani.
This leader would inherit a group of agencies that are already collaborating more effectively than before 9/11, but there is still room to improve coordination. Civilian networks are separated from military ones. Jurisdictional limitations to domestic, or homeland, concerns impede global cooperation.
Although coordination between the federal government and the private economy has improved, it is still not a substitute for a unified defense against a global threat. In today’s multiagency environment, information and knowledge are too often isolated within individual agencies. As the DHS experience proved, agencies that have competing objectives eventually end up undermining the country’s ability to address security challenges. These problems would be more effectively addressed by a single agency, if it had the authority to succeed.
Perhaps most important, talent remains dispersed. Substantial cyber expertise exists throughout government, but these experts would be far more effective working under a unified command structure. Such an agency would be likely to attract the best and brightest at a time when those minds can mean the difference between cyber catastrophe and cyber protection.
A unified federal agency would also be best suited to provide crucial coordination with state and local governments and the business community. Private companies are a critical source of technological breakthroughs and early warnings, and the states have often been laboratories for policy innovation. These efforts could be accelerated and enhanced through leadership from a single, properly structured federal authority.
A new federal office for cybersecurity can provide the unification, collaboration, coherence, skills and leadership to implement a comprehensive policy that counters the existential cyber threats America must confront. Too much is at stake to ignore the problem any longer.
Mr. Cohen, senior chairman of Sullivan & Cromwell LLP, served on the National Security Agency’s Cyber Advisory Committee (2012-16). Mr. Evangelakos, a partner at Sullivan & Cromwell, leads the firm’s cybersecurity practice.
Appeared in the July 12, 2017, print edition.
No comments:
Post a Comment