The Obama administration announced the creation of a new cybersecurity intelligence organization Tuesday to collect, analyze and distribute information throughout the government to identify and stop major cyberattacks.
Lisa Monaco, the assistant to the president for homeland security and counterterrorism, announced the new Cyber Threat Intelligence Integration Center during a presentation at the Wilson Center in Washington, D.C., just three days ahead of President Barack Obama’s planned meeting with business leaders in Palo Alto, California, to discuss cybersecurity information sharing and improving the nation’s defenses. The new organization will fall under the Director of National Intelligence and will be modeled on the post-9/11 formation of the National Counterterrorism Center.
“There are structural, organizational and cultural shifts that were made in our government in the counterterrorism realm that also apply to cyber,” Monaco said. “We need to develop the same muscle memory in the government response to cyber threats as we have for terrorist incidents. The threat is becoming more diverse, more sophisticated and more dangerous. And I worry that malicious attacks, like the one against Sony Pictures, will increasingly become the norm.”
The central thrust of the administration’s thinking on the new CTIIC is to leverage a whole of government approach to cybersecurity response and focus the government’s efforts into one organization. “In the cyber context, we need to share threat information more broadly and to coordinate our actions so that we are all working to achieve the same goal,” Monaco said. “Currently, no government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other elements within our government, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats. The CTIIC is intended to fill these gaps.”
An interagency effort, CTIIC will leverage analysts and experts from across the government, but it will not collect intelligence, Monaco said. Its primary role will be to integrate and analyze cyber intelligence information already collected under existing legal authorities. Likewise, the CTIIC will not replicate the functions of the dozens of other information-sharing and analysis centers or fusions centers that currently analyze and distribute information throughout specific industry verticals and law enforcement communities.
Monaco acknowledged that for the CTIIC to be successful, the government will have to “work in lock step with the private sector.” But leading national security experts, including the former vice chairman of the 9/11 Commission, told FedScoop that while the concept of forming the CTIIC is a good idea and desperately needed, its success will ultimately depend on the authorities it is given and how much the private sector cooperates.
“I think it’s the right concept, and it’s badly needed in the government,” Rep. Lee Hamilton, D-Ind., the former vice chairman of the 9/11 Commission, said in a telephone interview with FedScoop. “What the government has lacked has been a kind of a clearing house that would bring together everybody to talk through the nature of the threats and attacks and to try to get some unity of effort.”
But Hamilton acknowledged that identifying the appropriate legal authorities under which the CTIIC can operate effectively will not be easy. During her speech at the Wilson Center, Monaco called on Congress to get behind the effort but said the president would act within his existing authorities to do what was necessary to standup the CTIIC.
“The federal government won’t leave the private sector to fend for itself,” Monaco said. “But executive actions alone won’t be enough. We need durable, long-term solutions codified in law. This is not and should not be a partisan issue.”
The administration’s approach to executive action in the cyber realm is “probably the right posture,” Hamilton said. “But I would feel better if there was a legislative framework. This is an urgent threat. We’ve played around with this threat long enough.”
CTIIC is needed, but can it work?
Ross Ashley III, the executive director of the National Fusion Center Association and a senior adviser at the Chertoff Group, said the challenges facing cybersecurity today are similar to those that existed in the counterterrorism community before 9/11. Those problems, such as information overload, circular reporting and the inability to share across organizational lines, were largely to blame for the intelligence community’s failure to detect the 9/11 plot.
“From our standpoint, there definitely needs to be some sort of coordination at the federal level because we do get bombarded with information from multiple agencies,” Ashley said. “Do we need a whole new agency? Probably not. But to give the [CTIIC] the authorities to operate similar to the way the NCTC does would be an extremely valuable thing. Because there’s not an entity to report to.”
Ronald Marks, a former CIA officer who currently serves as a senior fellow with the Homeland Security Policy Institute at George Washington University, said he favors the administration’s plan and thinks the NCTC model is the right one. “The NCTC model has been wildly successful. Now it becomes a matter of how well these guys can coordinate with the private sector,” Marks said. And that’s not going to be easy, he said. “The problem of determining what information can be shared isn’t going away.”
But one senior official involved in the government’s interface with a major industry information sharing and analysis center raised concerns about the creation of additional government bureaucracy. “We should not be creating more bureaucracy,” said the official, who spoke to FedScoop on condition of anonymity. “There is already a structure in place, represented in the National Critical Infrastructure Protection Plan. [The Department of Homeland Security] is at the core of the plan for intelligence, information sharing and coordinated response, and serves as the sector-specific agency for several of our nation’s critical infrastructures. Why reinvent the wheel? Take the funding and advance critical infrastructure cybersecurity intel and information sharing improvements within DHS to support all agencies.”
Ashley, however, points to a bulletin that was sent to all of the state-level fusion centers with instructions on how to report cybersecurity incidents to the federal government as an example of why an organization like the CTIIC is desperately needed. “There was no clear way,” he said. In some cases, fusion centers were instructed to call the FBI, while others were told to contact the Secret Service or DHS. “All these different lanes are not coordinating with each other,” he said. “And I think we’re going to miss something.”
But even Ashley said a lot can be accomplished by giving the existing structure at DHS the right authorities. “If you were to take the [National Cyber and Communications Integration Center] that exists at DHS and give it the authorities similar to the NCTC…I think that would be a huge step forward,” he said.