The three-way split of U.S. cyber defense responsibilities between the National Security Agency, Department of Homeland Security and the FBI isn’t working and the new president should consider uniting elements of the three departments into a single cyberdefense agency, a senior NSA official said.
“I’m now firmly convinced that we need to rethink how we do cyber defense as a nation, possibly even going so far as that we unite pieces of those three organizations into one organization that does it on behalf of the whole government,” said Curtis Dukes, the NSA’s deputy national manager for national security systems.
Currently, the NSA has responsibility for protecting U.S. government IT systems that carry classified or sensitive data — like the Department of Defense’ massive intranet known as NIPRNet. But the security of most civilian federal IT systems — and the private sector networks that support the functioning of vital industries like banks and telecoms — are the responsibility of DHS’ Office of Cybersecurity and Communications, or CS&C, housed within its National Protection and Programs Directorate.
“The good news is there’s a lot of synergy between the two organizations,” Dukes told the American Enterprise Institute Tuesday. But NSA, with thousands of staff and a large classified budget — not to mention a storied history of being at the forefront of technological prowess — is generally viewed as having the greater capabilities.
“I’m a little biased, but I think we are the best network defenders in the nation,” said Dukes.
At FedScoop’ FedTalks Tuesday, the one-time chairman of the House Permanent Select Committee on Intelligence, former Rep. Mike Rogers said Tuesday that the U.S. had “take[n] our best players off the field” by giving the lead responsibility for civilian cyber defense to DHS.
Dukes said the “bad news” was, with every cyber intrusion becoming a potential crime scene, meaning the FBI had to be involved, and with the DHS in charge, “as we orchestrate across those three department and agencies what we find is that we’re suboptimal and by the time we actually respond to an intrusion, it takes hours to days and by then in cyber time, the adversary has already met their objective.”
Figuring out under whose authorities an incident response should be run meant giving the enemy a head start, he said. “By the time we fill out the paperwork that would allow NSA to provide assistance, it’s typically days to a week before we can actually respond,” he added.
“Who’s in charge? … By the time we get that all sorted out, we are at a disadvantage,” he said, adding that the British government earlier this year formed a National Cyber Security Centre headed by the General Communications Headquarters, the British counterpart to NSA, to provide both the government and private sector cyber defense advice.
“There’s one entity,” he said. “They’re in charge. I think that’s a model we ought to look at.”
Dukes was head of the NSA’s cyber defense organization, the Information Assurance Directorate, until that was merged last month into a single operations directorate alongside the NSA’s eavesdroppers, the Signals Intelligence Directorate.
The merger has proved controversial among some agency watchers, who note that the NSA has effectively merged their defensive players — responsible for securing IT networks — with their offense — the players responsible for breaking into networks and stealing other countries’ secrets.
“Companies, NGOs and others can no longer have a relationship with IAD. Instead the private sector has to have a relationship with the Operations Directorate responsible for gaining a “decision advantage” for the United States,” wrote Phil Reitinger, the former deputy undersecretary for the National Protection and Programs Directorate at DHS. “That may be harder to sustain and may impose economic consequences on companies that do work with the NSA on its cybersecurity mission.”