Publicly, government officials say that cybersecurity is a matter of collaborative teamwork between a range of agencies. Now, however, the debate in Congress highlights how the relationship between civilian and defense agencies remains unsettled, and how the most tangible cyberbattle may be a turf war.
Most analysts and officials agree that the diverse nature of cyberthreats has to be met together by a diverse set of agencies and private businesses. In recent years, the Obama administration has taken steps to solidify those relationships.
In 2009, the Homeland Security Department established a National Cybersecurity and Communications Integration Center, which combined some of the largest federal cybersecurity efforts, including the U.S. Computer Emergency Readiness Team.
On the military side, the Defense Department has formed the U.S. Cyber Command, overseen by the National Security Agency, to coordinate cyber defense and offense. In an October 2010 memorandum of agreement, the Pentagon and DHS outlined plans to divide cybersecurity authority.
The debate stems from fears that DHS and law-enforcement agencies don’t have the capability to confront major cyberattacks. Concerns over civil liberties, meanwhile, have dogged efforts to have the Defense Department and NSA, with its cyber capabilities, take a larger role in domestic cybersecurity.
“We want DHS to take the lead on resilience and working with civilian agencies in critical infrastructure. We want DOD to take the lead on defending the nation under cyberattack,” Keith Alexander, who leads NSA and Cyber Command, told the Senate Armed Services Committee in March.
But that’s a hard line to draw in cyberspace, where attacks routinely cross borders and target both government, and private organizations and individuals. In February, The Washington Post reported that NSA had “pushed repeatedly” for a greater role in protecting civilian networks, only to be rebuffed by the White House over privacy concerns.
Now the interagency turf war has spilled over into Congress, where more than a dozen committees have a piece of the cybersecurity pie.
In January, the Senate Intelligence Committee dropped a proposal that would have given NSA the authority to monitor some American networks for cyberthreats.
And a multi-committee process led by the Senate Homeland Security Committee produced the sweeping Cybersecurity Act of 2012—but not the support needed for passage. Republicans, under Senate Armed Services Committee ranking member John McCain, R-Ariz., bashed the bill for relying on DHS to oversee critical infrastructure such as electric grids.
“Anyone who has been through an airport, as I do regularly, as most of us do, [has] no confidence in the technological capabilities of the Department of Homeland Security,” McCain said when the Cybersecurity Act was introduced in February. He argued that only NSA and Cyber Command are currently capable of protecting the United States from cyberattacks.
It is clear that there is little love lost between DHS and some GOP lawmakers, and that is bleeding over into the cybersecurity debate.
“To put them in charge of any critical infrastructure scares the hell out of me,” said Rep. Lee Terry, R-Neb., at a House Energy and Commerce subcommittee hearing on cyberthreats in March. “Anytime I go through any airport, it reminds me of how incompetent they are.”
GOP presidential contender Mitt Romney has said the Obama administration has “not adequately engaged our defense and intelligence resources” to combat cyberthreats.
Republicans who have pushed for a greater role for DHS have risked being sidelined in Congress. Senate Homeland Security ranking member Susan Collins, R-Maine, found herself abandoned by GOP leaders, who balked at supporting the Cybersecurity Act.
And in the House, Republican leaders on the Homeland Security Committee were forced to scale back their cybersecurity bill, which would have given DHS more authority. In the end, the measure wasn’t scheduled for a vote with this week’s other cybersecurity bills.
But the issue doesn’t divide evenly along party lines. The bill favored by House Republicans, the Cyber Intelligence Sharing and Protection Act, is cosponsored by several Democrats, including House Intelligence Committee ranking member Dutch Ruppersberger, D-Md., whose district includes NSA’s headquarters.
Ruppersberger and the bill’s lead sponsor, House Intelligence Chairman Mike Rogers, R-Mich., say that CISPA doesn’t do anything to diminish the DHS role.
“The bill would make clear that it grants no new authority to the Department of Defense or the intelligence community to require or direct any private or public cybersecurity efforts,” Rogers told reporters on an April 10 conference call.
Critics, however, argue that CISPA could lead to surveillance by NSA and other intelligence agencies.
“Without specific limitations, CISPA would, for the first time, grant non-civilian federal agencies, such as the National Security Agency, unfettered access to information about Americans’ Internet activities and allow those agencies to use that information for virtually any purpose,” more than a dozen House Democrats wrote in a letter to Rogers and Ruppersberger on Monday.
For his part, Rogers points to communication barriers before the Sept. 11 terrorist attacks, arguing that it would be a “horrible mistake” not to allow defense and intelligence agencies to use cyberthreat information to protect the country.