The back-and-forth in Washington over who should run the cybersecurity program for the federal government has reached a fever pitch, as lawmakers, federal agencies and other interested parties jockey for position and budget dollars in the run-up to the release of the results of the Obama administration’s review of cybersecurity operations in the federal government. But perhaps the question isn’t which agency or office should have ultimate authority over cybersecurity, but whether any of them should.
For most of the last nine years or so, the federal government has had one person nominally in charge of cybersecurity. At first it was the head of the President’s Critical Infrastructure Protection Board, who was part of the White House staff and had direct access to the president. Later, after the PCIPB was dissolved, that responsibility was passed to the Department of Homeland Security in the wake of 9/11. While the location and nature of the job has changed somewhat over the years, one thing has remained constant: The person in the job has had little to no authority to get other agencies to move on cybersecurity issues.
This fact has led some in the security industry to question the wisdom of appointing a cybersecurity czar or even a lead agency. In a podcast I did recently with Bruce Schneier, the security author and commentator, Schneier said he sees no advantage to naming one person or agency to run cybersecurity.
“Really what I think is it shouldn’t be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn’t a dictator in charge, when there isn’t one organization in charge. My feeling is there shouldn’t be one organization in charge. Not only shouldn’t it be the NSA, it shouldn’t be anybody,” Schneier said. “That’s the problem whenever you hear a cybersecurity czar being mentioned. The person doesn’t have budgetary authority. All they can do is ask nicely.”
That’s the key point that’s been missing from many of the discussions on this topic: All of these agencies have overlapping missions and none of them is interested in being ordered around by any of the others. So what we end up with is the infighting and territorial battles that have plagued the government on this issue for so long.
It’s not clear whether having no overarching cybersecurity authority would work on a practical level, but the theory makes sense. The main snag would be in there being no coordinating agency when things go seriously wrong on the Internet or some critical infrastructure network. DHS handles that by default now, and it likely will stay that way, given the department’s overall responsibilities.
So while it remains to be seen how President Obama handles the cybersecurity question, maybe his decision isn’t so difficult after all. Give DHS operational authority in times of crisis, forget the cybersecurity czar idea and let each of the departments and agencies handle its own business.