President Obama’s decision to create a new Cyber Threat Intelligence Integration Center underscores the widespread acknowledgement that the federal government needs to get its act together and speak with one voice when it comes to leading the defense of cyberspace. But it’s also symptomatic of an administration willing to put forth half measures when the situation clearly calls for bold action.
When Lisa Monaco, the assistant to the president for homeland security and counterterrorism, announced the administration’s plan to create the CTIIC under the auspices of the Director of National Intelligence, she did so amid the backdrop of a never-ending stream of massive data breaches, a private sector hell-bent on avoiding regulation at any cost and a nation facing an increasingly diverse and sophisticated array of threats.
“I worry that malicious attacks, like the one against Sony Pictures, will increasingly become the norm,” Monaco said, during a speech Wed. announcing the CTIIC. “Currently, no government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other elements within our government, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats,” she said. “The CTIIC is intended to fill these gaps.”
That sounds great, if only it were true and if only the administration was serious about creating an organization with real capabilities and authorities.
What is most striking about this proposal is how it ignores the billions of dollars the American people already invest in the Department of Homeland Security, which currently operates the National Cybersecurity and Communications and Integration Center. DHS’ own description of the NCCIC calls it “a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.” In addition, its mission is to share information “among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions.”
More troubling still is the administration’s lack of planning for staffing the new CTIIC. When asked by reporters where the cybersecurity experts for the new CTIIC would come from, Monaco said they would be “detailed” from other agencies. According to Monaco, these experts would jump at the opportunity because “joint” duty assignments are a sure way to promotion. But there was no mention of the fact that if these experts exist in the federal government, they should probably already be detailed to the NCCIC.
Without a serious effort by Congress to get behind the White House plan, the CTIIC will be relegated to just another layer of duplicative bureaucracy with no funding, no personnel and no real authority.
And if the federal government’s cybersecurity experts aren’t already serving in DHS’ NCCIC, perhaps they are currently working at the U.S. Computer Emergency Readiness Team, the Industrial Control Systems CERT, one of the 17 Information Sharing and Analysis Centers or one of the 72 state and local fusion centers around the country.
The other major problem with the administration’s strategy for the CTIIC stems from the fact that the new center will be modeled on the National Counterterrorism Center. On its face, this is a wonderful idea. But the NCTC, as it is known, is an organization that brings to the table statutory authority. The NCTC, after all, was stood up by an act of Congress — the National Security Intelligence Reform Act of 2004. That statutory basis provides the NCTC with real clout. The CTIIC will have all the force of an executive order.
Even if Congress is able to muster the courage to cooperate on a cybersecurity information sharing bill, it’s unlikely that such a law would replace the current voluntary framework with a serious regulatory regime based on best-of-breed risk management practices. And without a serious effort by Congress to get behind the White House’s proposal, the CTIIC will be relegated to just another layer of duplicative bureaucracy with no funding, no personnel and no real authority.
