Click to learn more about author Samuel Bocetta.
The current state of cybersecurity in the United States, and a proposed solution.
Whatever your political opinions, we can all admit that government is good at some things, and bad at others.
It’s good, for instance, at huge infrastructure projects and providing welfare – both areas in which huge capital outlays are directed at well-understood problems. It’s less good when it comes to responding to rapidly changing situations, or adapting when circumstances change. Whatever else government might be, agile it is not.
There have been plans to create a Department of Cybersecurity in the US for years now. Each new administration, it seems, proposes the idea and then loses interest. In a sense, that’s a good thing (save the wasted dollars), because (as we’ll see) there are some pretty big problems with setting up a new department focused entirely on cybersecurity.
What Would the Department of Cybersecurity Do?
To see what these problems are, it’s instructive to look at what the proposed department would actually do. As I see it, there are three areas in which it could potentially contribute to cyberdefense.
Protecting the US Government
When it comes to protecting the country and government from cyberattacks, it might seem like having a dedicated department would strengthen cybersecurity. After all, the Department of Defense protects US citizens (and other government agencies) from conventional attack, so why not do the same with cyber?
Well, here’s why. Cybersecurity is not like conventional security. Put simply, every government department uses computers, and so every government department needs to take responsibility for its own security. IT is so thoroughly integrated into the work of every department that outsourcing its security makes no sense.
That’s not to say that there is not a role for a particular department to coordinate cybersecurity. But, in some respects, that already exists. The US already has CISA, which performs this role to some degree, and according to the DHS website, CISA is developing a National Cybersecurity and Communications Integration Center (NCCIC) which will act as a centralized agency for coordinating cybersecurity and responses.
Going further, the Department of Homeland Security already has the authority to set standards through Binding Operational Directives, which are enforced by the Office of Management and Budget, and deploys common tools across the civilian government that improve cybersecurity.
Another role for the proposed Department of Cybersecurity would be, presumably, to protect companies against cyberattack. But it’s not clear that private companies need the government to do this, because in many respects the private sector is way ahead of government when it comes to cyber risk management.
Again, however, the situation at the moment is confusing. Congress is keen for information about cyber threats to be shared, and even passed the Cybersecurity Information Sharing Act last year. The act gave the DHS a role as the central point for information sharing with the private sector, states, and across civilian federal government.
The critical question here is where risk is best managed. A government department full of the best cybersecurity whiz-kids might be able to brief companies on the latest cyber exploits, but they will not be able to tell businesses how to manage and adapt to these risks.
And, in fact, the private sector is well ahead of the government when it comes to managing the risk of cyberattacks. Most large companies now have fairly solid Data Governance frameworks in place, for instance, and have procedures for how to respond to data breaches.
Lastly, and looked at in the round, it might even be that creating a department for cybersecurity would actually harm the valuable cyber security industry itself, which is developing rapidly and worth a lot of tax dollars. Private sector solutions for cybersecurity are booming and are being driven by competition between companies who want to position themselves as the safest on the market. As Gary Stevens, cybersecurity industry expert and founder of community group Hosting Canada, put it in response to my email question:
“Companies need to take responsibility for their own security … and not rely on the government providing them with a magic bullet.”
All this said, there might be one area of cybersecurity in which the government has a role. That’s in finding the people responsible for hacks and making sure they are brought to justice.
But again, this process does not need a dedicated department of cybersecurity. Whilst I am in favor of the FBI, and state police forces for that matter, spending more on their cybersecurity programs, it is in these agencies that responsibility for catching criminals should lie. They are, after all, experienced in collecting evidence and tracking down felons, and it’s unlikely that a department of cybersecurity would have these skills.
Think about like this. Everybody has a door, and many robberies involve a criminal forcing doors open. Given how many crimes are committed via doors, it might make sense to set up a government Department of Door Security, which would oversee all the doors in both the public and private sectors, and make sure they were secure.
That’s clearly absurd, of course. But no less absurd then setting up a centralized department to oversee the security of IT infrastructure.
In short, setting up a government department for cybersecurity is not a good idea, if only because it removes the responsibility for companies and other departments to take their own security seriously.
Finally, it’s also unlikely that this situation is going to change anytime soon. In fact, as new technologies develop, it’s likely to get worse. AI is already transforming cybersecurity in some areas, for instance, but you wouldn’t know this from government-issued cyber warnings. In response, many companies are already bringing advanced Data Science into their cybersecurity protocols, again, something which is currently absent in the public sector.
Ultimately, cyber security requires companies and departments to adapt rapidly to changing threat environments, and to manage the risks they face. To silo this management in a monolithic government department would not only reduce adaptability, but it would also stifle innovation.