The cyber threat to the nation has been documented so often that people have become numb to the reality digital threats present. Everything from armed drones to hospital surgical equipment can be hacked; and have been. As we survey the daily cybercrime, the number of hacker organizations grows with budding between them. There is a war going on across our networks and systems. The hackers are all over us.
This problem is this is an unfair fight. Hackers don’t need congressional approval or acquisitions approval to move out and take a target providing them value. While on the other hand, we watch them with envy, both hamstrung and defeated before the next game even starts.
But there was a ray of sunshine last week. Congress finally took a notable action related to the cyber protection of this nation. On, November 13, 2018 the House passed legislation standing up a new agency within the Department of Homeland Security (DHS). The new group will be called the Cybersecurity and Infrastructure Security Agency (CISA) and will be a restructured and updated version of the National Protection and Programs Directorate (NPPD). The Bill was presented on 7/24/2017. However, as a former DHS official I can tell you that it took three years to move into this position. It is an opportunity for us to “catch-up” and meet the cyber challenges of the nation. Previous alignment was not a viable approach.
Hopefully, it will not take three years for the new cyber-physical tree to produce fruit. Americans are hungry for direction on how “we” as a nation reduces risks associated with the Internet as well as carrys out our daily digital-based business.
Reorganizing the Approach to Cybersecurity
The new organization will address risks, intrusion, trends and approaches to securing national communications infrastructure. Specifically, DHS components that will be reorganized included as: (1) the Cybersecurity Division, (2) the Infrastructure Security Division, and (3) the Emergency Communications Division (currently the Office of Emergency Communications). And, the agency must have a privacy officer to ensure compliance with federal laws.
Cyber-physical approaches to security have become a no-brainer when securing any cyber domain. The convergence of Information Technology and Operational Technology is our world. It is not some contrived buss-word money making opportunity. Ask leaders in the Transportation Sector if securing aging infrastructure is easy with the emergence information technology convenience. Maybe our friends in the Health Sector can convince you that securing medical devices in the age of blue-tooth and remote medicine is an easy transition.
To make the most of the new organization, DHS will need to change practices that clearly identify them as Government. For instance, even though there are exemption to improve the speed of hiring, the hiring of cyber professionals still takes too long. What skilled person is going to wait a few months for a job paying less than what everyone is offering today. Additionally, the hiring of friends and political colleagues will have to take a back seat to efforts that will positively affect the cyber threat environment.
We Just Want Results
The bottom line is we are getting killed on offense, defense and special teams. That is a football reference for those keeping score. It stems from our goals not being clear. How can leaders implement an effective game plan without the players knowing the plays? Additionally, how will you field a team that can compete if the players on the bench are not getting training that makes them effective when put in the game?
Sure, there are a lot of hardworking men and women of NPPD as was pointed out by the current Under Secretary of NPPD. However, many of them struggle to understand how they will help small and medium sized businesses (SMBs), a highly sought target of all hackers. Others have questions about the role of Government, their role as Government. Few regulations have been put forth even though it is clear Industry is not going to voluntarily put protections in place. Pervasive losses like the ones we saw with Equifax will continue to rule the day. Industry has used the Government’s reliance on them to provide leverage and pushback to the Government’s strong arm. We don’t necessarily need regulations, but we need norms and adequate standards.
Leadership has been a missing component of the cybersecurity fight over the last few years. Someone or person, must step-up and attack the issues surrounding policy and operations. This must be done in ways that may not be popular across Government or the private sector. Leadership is doing something to benefit a constituency based on sound judgement and that other may not understand until sometime in the future. I saw this kind of leadership when the CDC started putting commercials on television featuring cancer patients talking about their ailments. I also saw it from the EPA when they pushed to deliver the “Clean Water Act” and “Clean Air Act.”
No one can speak to why it takes so long for the Government to act in general. This new law creating the cyber organization streamlines operations and provides the recognition that cybersecurity is as important to society as secure movement is to the Transportation Sector. The Transportation Security Administration (TSA) was created to provide this same type of streamlining assuring the secure free flow of people and goods.
In truth, TSA was created after the September 11, terrorist attacks and they have regulating authorities. Is a “9/11” level event required to position us for success in the cybersecurity arena? Maybe, the real question is, if TSA’s success is partially connected to them being a regulator, how will the new cyber organization get Industry’s attention if they are not?