We don’t need a separate cybersecurity agency

By Sasha Cohen O’Connell
·7 min read
FILE - In this Nov. 6, 2018, file photo, people vote at a polling place in Las Vegas. State election officials in at least two dozen states, including Nevada, have seen suspicious cyber activity in the first half of January 2020, although it’s unclear who was behind the efforts and no major problems were reported. (AP Photo/John Locher, File)

Bad news from the cyber world keeps piling up: election security, disinformation, data breaches, ransomware and even the threat of cyber-warfare from the likes of Iran, Russia or China. A growing number of officials, inside and outside the government, are arguing that as a country we need to get better organized to address this complex threat, and that the best way is to create a stand-alone cyber security agency. It’s an option already under consideration by the commission Congress created to address cyber threats, as well at the National Security Council, which has a small directorate working on a national cyber strategy.

I wish this problem could be solved that easily. There’s no question that the federal government needs enhanced resources, oversight, accountability, coordination and leadership on cybersecurity. But I spent 15 years at the FBI working on strategy and interagency governance, often in the context of cyber, and have devoted my academic career to studying how bureaucracies work, and I think creating a new stand-alone cybersecurity agency is the wrong way to go.

As messy and challenging as it is, in order to keep up with the set of diverse and evolving threats we consider “cyber,” I believe it would be far more effective to focus on knitting together interdisciplinary resources inside and outside of government in an agile, secure and accountable manner for application when and where they are needed.

First and foremost, silo-ing cybersecurity into a stand-alone agency risks excluding key government personnel, technical assets, and partners. The truth is that there really isn’t any difference between “cyber security” and “internet security” – it is all one ecosystem. Creating a stand-alone “cyber security” agency would entrench this imagined divide, potentially alienating important stakeholders such as representatives of affected sector-specific agencies, including the Department of Transportation, the Federal Aviation Administration and regulatory agencies such as the Federal Communications Commission.

For example, a new “cyber security” agency is unlikely to bring in the “cyber diplomats” at the State Department who attend meetings of the international organizations that drive determinations of technical standards for internet access, or the Department of Commerce officials who work on policies that ensure the security and utility of the infrastructure of the internet, including the domain name system at the Internet Corporation for Assigned Names and Numbers (ICANN). Further, the new agency likely would also not include technical subject matter experts at National Institute of Standards and Technology (NIST) or the Defense Advanced Research Projects Agency (DARPA) who, among other critical functions, work with the research and development community to bring cutting edge technology to the government bodies conducting offensive and defensive operations to protect the country. These experts in diplomacy, policy and science rightfully belong in their existing agencies, and creation of a standalone cyber agency would likely make it harder, not easier to coordinate policy across departments.

The proposal creates issues with the cyber workforce as well. The U.S. government’s current cyber workforce is so thin, particularly at the leadership level, that if there were a new agency created it would significantly draw down the talent at the other departments and agencies, crippling their ability to maintain core cyber functionality. Proponents argue that this brain drain from across government would be offset by the new agency’s ability to suddenly successfully compete with the private sector for talent and thus draw in unprecedented levels of skilled employees. But without significant additional funding and hiring authorities, I find that scenario unlikely.

A related workforce concern is that keeping some technical cyber capability in all departments and agencies has the benefit of exposing nontechnical staff to cyber issues and strengthening the entire workforce’s ability to address threats, both individually and as a team. For example, in FBI field offices, we found that exposing non-cyber-assigned professional staff to cyber casework in any capacity raised their competency and improved their cyber “hygiene.”

Lastly, success in cyber security is dependent on successful collaboration with the private sector – after all, they own the backbone of the internet and manage most of the data and all significant platforms. To this end, setting up a single consolidated cyber security agency would actually make matters worse, not better. Previous efforts to drive the private sector to engage with one single portal, agency or department on all things cyber failed despite good intentions and valiant efforts.

What we have discovered is that the private sector, both large and small companies, want options when engaging with their government. Some want to engage with Commerce, some DHS, some are a better cultural fit with the FBI or state and local law enforcement, and some want an entry into the government through their usual, sector-specific departments, like Energy or Health and Human Services. The best approach is for government to maintain these diverse front-door options while ensuring back-end coordination and deconfliction. Otherwise, they will simply lose engagement from their most critical partner, the private sector.

In the end, it’s worth considering the lessons we learned from combatting a similarly diffuse, dangerous and unpredictable threat: terrorism. While large redundancies created by overlapping authorities and jurisdictions are clearly not desirable, there is a case for some overlap in national security and public safety agencies to ensure that there are no gaps. Our response to terrorism, and the infrastructure we built to prevent future terrorist attacks, has worked. We do not have one “counterterrorism agency” but, instead, a largely successful model in which multiple agencies across federal, state and local authorities all contribute their unique assets and abilities through well-resourced joint terrorism task forces, empowered leaders in Washington, clear oversight and coordination points at the White House and in Congress, and clearly defined authorities. Even our post-9/11 designated National Counterterrorism Center is a component of the Office of the Director of National Intelligence, with a mission to support functions across the intelligence community.

Maintaining agencies with overlapping jurisdictions has inherent risks (for example blue-on-blue incidents or wasteful spending) and requires enhanced coordination (and some very long meetings). But in the end, our successful efforts to defend against terrorist attacks show that, like the effective placement of plates of armor, some overlap in jurisdiction and capability, when well-coordinated and effectively led, is beneficial to ensure resiliency and minimize gaps.

In general, any call for a new bureaucracy should be approached with caution because startup costs are always high and sustained success is rare. If we hope to achieve the type of success in cybersecurity that we have seen in the counterterrorism space, creating a new cyber security agency would be ill-advised and cause unintended negative consequences.

Instead, we should double down on what we know works, which is improving collaboration and coordination across diverse disciplines, funding successful interagency bodies, and ensuring accountability and leadership to bring every possible resource to the fight from both inside and outside of government. In practice, this means many things, including restoring the “cyber czar” position on the National Security Council and the “cyber ambassador” role at the State Department. Instead of spending money on starting up a new agency, it would cost less and be more effective to fully fund the national cybersecurity task force (NCIJTF), local cyber taskforces and the intelligence coordination function housed in the counterterrorism center. Agency-specific private sector outreach and engagement offices should be encouraged across the government, while systems for ensuring coordination and sharing of critical information should continue to be designed and funded on the back end.

In other words, we don’t need a new agency that will disrupt and distract a system that has many of the pieces it needs to succeed already in place. What we do need is better coordination, accountability and leadership to make sure that the federal government’s existing cyber expertise, assets and partners are engaged at maximum capacity to address the many varied and variable threats that will continue to emerge from cyber space.