CISA, NSA And The Dual Hat

Uploaded on 2021-03-29 in TECHNOLOGY--Resilience, INTELLIGENCE--USA, GOVERNMENT-National, FREE TO VIEW

One of the most challenging parts of a 20th century government structure - like the U.S. - is dealing with a 21st century challenge.  We first saw this in the disaster of 9/11 which was less about an intelligence or policy failure than the ugly new reality that we have entered an era of porous borders/porous boundaries.  Al Qaeda did not have an international and domestic bureaucracy not talking to each other. 

They played a loose game of soccer, we played rules bound American football.  And they won the first round.

Unfortunately, we now seem to be playing out the same circumstances in Cyber world where the last several months have been filled with a litany of extraordinary breeches. The Microsoft and SolarWinds break-ins, done by China and Russia, are extraordinary in their breadth and scope. 

And, this time, we certainly didn’t lack for entities to defense the ramparts.  The alphabet soup of U.S. government agencies involved in Homeland Security, Defense, Justice and Commerce Department and multiple private sector industry cyber security groups is equally breathtaking - all in response to the last ten years of continued cyber lawlessness.  Yet, again, we have failure.

The main domestic breakdown is the continued “stovepipe” separation between the external and internal. In particular, between those with the technical cyberspace savvy people to resolve the problem and the defenders who can take action. 

Externally, the Cyber Command / NSA dual hat combination has worked increasingly well  - one focused on attack, the other focused on warning and developing successful software “tools”.  But, this kind of logical pairing has stopped at the border for a number of reasons, mostly surrounding domestic privacy concerns and old fashioned 20th century thinking.  We simply need to move beyond that.

Former Secretary of Defense Robert Gates (for full clarity, my old boss at CIA,) has put forward a potential solution which I think would work well - it is time to match off the expertise of NSA with a domestic agency that could defend inside the American borders - which the Russians and Chinese now so easily enter under our “external fence wire.” This domestic “dual hatted” arrangement would act as Cyber Command and NSA do today externally – provide expertise, insight, and execution together.  

While Gates suggests DHS as the Department, I would suggest further that Cybersecurity and Infrastructure Security Agency (CISA) would be the place to nest the DHS anchor.  Unlike the law enforcement-oriented FBI, CISA has the mission of warning and the vast private sector connections to benefit from a relationship with NSA. The Director of CISA would, in essence, be dual hatted with NSA.

The objection to this would be strong in the area of civil liberties and the question of overburdening the NSA – triple hatting the DIRNSA.  While there is merit to both concerns, there are known ways around these challenges. 

We already have, in place, civil liberties oversight organizations in the Intelligence Community and DHS. This is not the bad old days of the ever relived 60’s where no one was watching the store from Capitol Hill nor the outside world.  We have two oversight committees paid to watch out for these abuses.  And, I dare say, an active cyber space filled with public watchers who would never stand for anything close to the nonsense of the 1960’s and blow the whistle on perceived misdeeds.

As for the triple hatted nature of an NSA Director, that is simply a bureaucratic term with little practical daily impact.  Directors have deputies who manage the day-to-day operations.  Adding one for domestic would not be a major challenge.

The challenge, however, would be the work load for the NSA staff. There are a lot of good people at NSA.  But, they would be further spread thin with a domestic role. And we are already challenged in the US government with a shortage of good cyber people - often put off by the slowness of hiring and the ever-present problem of passing background checks.  

This problem can be ameliorated, in part, through the contracting community who can move more swiftly in the hiring process than the government.  And, while the contractors will always have security problems, they have a quickly developing set of stringent cyber security rules promulgated by a very involved Defense Department security protection system.

All of this will not add up to the perfect defense in cyber space at home.  There is no such thing as one hundred percent security.  But, Secretary Gates was right – we have to move away from the concept of internal and external defense and use of intelligence to protect America’s cyberspace.  Allowing NSA and CISA to work closely together may help.

Ronald Marks is Term Visiting Professor, George Mason University, Schar School of Policy and Government. He is President of ZPN Cyber & National Security Strategies     

Image: Unsplash

You Might Also Read: Smart Artificial Intelligence

 

 

« Investigating Fake News With Google, YouTube & Facebook
Create A Cybersecurity Compliance Plan With These Seven Tips »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

Netskope

Netskope

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

softScheck

softScheck

softScheck is an IT security consultancy. Services range from pentesting and compliance testing to security auditing of software and IT infrastructure.

IAC

IAC

IAC is a specialist Irecruitment consultancy covering Internal Audit, Risk, Controls, Governance, IT Audit, and Cyber Security roles.

Sectigo

Sectigo

Sectigo is a leading cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

DataViper

DataViper

DataViper is a threat intelligence platform designed for organizations, investigators, and law enforcement.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

Institute for Pervasive Cybersecurity - Boise State University

Institute for Pervasive Cybersecurity - Boise State University

Boise State University’s Institute for Pervasive Cybersecurity is a leader of innovative cybersecurity research and advancement in Idaho and the region.

Computacenter

Computacenter

Computacenter is a leading independent technology partner, trusted by large corporate and public sector organisations. We help our customers to source, transform and manage their IT infrastructure.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.

Tryaq

Tryaq

Tryaq are a group of cybersecurity experts and enthusiasts who share the mission to make the world feel safer online.

Attestiv

Attestiv

Attestiv puts authenticity into photos, videos and documents by utilizing advanced technologies in AI and tamper-proofing.

Hacker School

Hacker School

Hacker School offers technology motivated training programs that provide Cyber Security Certifications and Courses.

True Corporation

True Corporation

True Corporation is Thailand’s leading Telecom-Tech company, empowering people and businesses with connected solutions that advance society sustainably.