National Security Agency Should Lead on U.S. Cybersecurity

President Obama and Congress need to end their standoff over U.S. cybersecurity.

By + More

Daniel Gallington is the senior policy and program adviser at the George C. Marshall Institute in Arlington, VA. He served in senior national security policy positions in the Office of the Secretary of Defense, the Department of Justice, and as bi-partisan general counsel for the U.S. Senate Select Committee on Intelligence.

According to recent news reports, President Obama has signed a classified executive order governing U.S. cybersecurity—and more cyber-related executive orders may be in the works. This could be a good thing, depending on which agencies have primary responsibilities for assuring the cybersecurity for our nation's critical infrastructure.

The president's executive action is timely—and required—because the Congress has been unable to agree on comprehensive cybersecurity legislation. However, this is a good thing because Congress (with some exceptions) has a fundamentally distorted view of what cybersecurity is and how to do it.

How and why this situation has evolved is a story of "pure pork politics"—and one that Congress would probably not want voters to understand. And, this isn't a Republican-Democrat political issue so much as an executive branch-congressional standoff.

[See a collection of political cartoons on Congress.]

It's also a matter of great urgency: If our cybersecurity is not "done right"—and soon—we will continue to be at very high risk from cyber attacks against our critical infrastructure. Translation: Imagine our electric power grids shutting down, bank accounts zeroed out, and computer service providers all "going dark" at once. And, cyber warfare experts tell us it's a matter of when it happens—not whether. With this bleak introduction, we have to go back a decade to understand why we're at such high risk today: Here's the story.

Recall that, in the legislative wake of 9/11, the "big fix" Congress imposed was the creation of the Department of Homeland Security. "Imposed" is the right word because President Bush initially opposed creation of a whole new department of government. However, and according to the Washington Post: "By 2002…the political momentum behind the new department overtook the administration, and in November, the president signed the Homeland Security Act of 2002, creating the new department."

[See a collection of political cartoons on defense spending.]

So, what really motivated Congress to establish the Department of Homeland Security over the objection of the president? Simple: They created a cash cow to throw big money at. And, perhaps more important, much of the money they appropriate for the department "comes back home" to their states or districts in the form of federal grant money for state and local "homeland security related" projects—liberally defined to include most anything.

In other words, it's pork, pork, and more pork. And, Congress has continued to fling big money at the Department of Homeland Security—$40 billion is planned for 2013! Not surprisingly, Congress also believes that Homeland Security should be in charge of our domestic cybersecurity—which means even more money for the Department of Homeland Security cash cow! And, guess what Congress has them doing with all that new cybersecurity money? They simply hand it over to the various parts of the private sector "critical infrastructure" and ask them to "certify" that they have secured themselves [us] against cyber attack.

If this sounds to you like the "fox guarding the chickens" (and the "chickens" would be us!) you would be right. Nevertheless, it's our Congress's preferred method to address the cybersecurity of our nation's critical infrastructure.

[See a collection of political cartoons on the budget and deficit.]

There are a few congressional opponents of this approach: Sen. John McCain leads the way for more rational thinking. Senator McCain does not trust the neophyte Department of Homeland Security with this critical national security mission, and proposes a more proactive role for the Department of Defense, particularly the National Security Agency—our "in-house" and world-class experts for all things cyber. There also could be valuable support for this view from Texas Rep. Michael McCaul, the incoming chairman of the House Committee on Homeland Security. Congressman McCaul has characterized the Department of Homeland Security as  "mismanaged, dysfunctional and wasting money"—this does not sound like whom we want to be "in charge" of our cybersecurity.

Are there legal and privacy issues associated with a larger Department of Defense/National Security Agency role for our cybersecurity? Sure, but so are there with Homeland Security being "in charge", maybe even more. Furthermore, it's no more complex than have been successfully addressed with similar technical areas requiring cooperation and coordination between the National Security Agency and other national security related agencies and activities.

[Read the U.S. News Debate: Are Cuts to the Defense Budget Necessary?]

So, let's hope that "the guts" of the new cybersecurity executive orders will:

  1. Require or "enable" the National Security Agency to "stress test" key parts and components of our critical cyber infrastructure.
  2. The "stress testing" regime should be governed by strict privacy guidelines established (and under continual review) by the attorney general, just as the attorney general has approved guidelines for other agency activities.  
  3. Require detailed procedures for various internal levels of articulation, approval, review, and oversight for National Security Agency cyber "stress testing," along with periodic reporting to the relevant congressional oversight committees.
  4. [Read the U.S. News Debate: Should There Be an International Treaty on Cyberwarfare?]

    What kinds of privacy "stress testing" should the National Security Agency be able to do to assure the security of our critical cyber infrastructure? It should simulate the latest and most serious cyber threats; and, there should be an ongoing and creative cyber "red team" effort working 24/7 to come up with new threats—just like the bad guys do. Just as important, when flaws or weaknesses in our critical infrastructure cyber systems are discovered, identified, and isolated, the National Security Agency and other agencies (including the Department of Homeland Security) with equities in protecting us from cyber attacks, must work together—with the private sector—to quickly "patch" the systems found at risk.

    Bottom line: An intense, comprehensive, continuing, and cooperative effort is required to keep us safe from cyber attack—only then can we have some degree of confidence in the "critical infrastructure" we depend on to "be there" for us. The National Security Agency must have a major leadership role in this process—and the new executive orders should enable this essential and practical reality.

    • Read Michael P. Noonan: The Army Will Be a Challenge for Obama's Defense Spending Cuts
    • Read Robert Nolan: Morsi's Egypt Looks a Lot Like Mubarak's Egypt
    • Check out U.S. News Weekly, now available on iPad.