Former NSA director: It’s time to trash the federal cybersecurity hierarchy

Former NSA Director Keith Alexander told senators Thursday that the government should undertake a massive reorganization effort that would consolidate some current cybersecurity responsibilities split between the FBI, Homeland Security Department, Defense Department and intelligence community, into a single entity.

“When we talk to the agencies they don’t understand their roles and responsibilities,” said Alexander, who helped author the Commission on Enhancing National Cybersecurity report which was provided to the Trump administration. “Yes, I do think it should be brought together … I believe there is a way to get around this lack of a strategy by setting up a [new] framework.”

Alexander, who now runs a private cybersecurity firm based in Fulton, Maryland, spoke before the Senate Armed Service Committee with other prominent experts about cyber-operations strategy and policy.

Chairman John McCain, R-Ariz., previously criticized the Obama administration for how it responded last year to an expansive Russian hacking campaign aimed at the U.S. presidential election. McCain’s evaluation, at least in part, revolves around how the government has handled these incidents from an organizational standpoint.

Panel member James Inhofe, R-Okla., in agreement with McCain, described that the federal government is facing a “stovepipe scenario” — in which each of these respective agencies are not collaborating in a manner sufficient to protect the nation from and react to cyberattacks.

“It’s not working,” Alexander said. “There are four stovepipes and it doesn’t make sense. If we were running this like a business we would put them together. The issue now gets to … you now have all these different committees in Congress looking at these [cybersecurity issues] and it’s messed up.”

The Obama administration in July attempted to clarify who is responsible for what by publishing a White House directive known as Presidential Policy Directive 41, or PPD-41. In short, the directive was designed to draw jurisdictional lines by assigning roles in the case of a cyberattack for coordination, risk mitigation and communications purposes.

“What you have is people acting independently and with these seams we will never defend this country. And more importantly, when private industry looks at our government they are, quite frankly, dismayed. We are all over the map,” Alexander said. “No one can answer who is responsible.”

Alexander said that he and former Defense Secretary Robert Gates had previously spoken about combining DHS and law enforcement’s cybersecurity responsibilities with that of the Defense Department and intelligence community; all under a single framework.

Others who testified Thursday, however, pushed back on the idea of completely tearing down the existing structure.

“The situation is a little more complicated,” responded Craig Fields, the chairman of the Defense Science Board. “I don’t see duplication in efforts, I see gaps, because we do not have an orchestra conductor … unless we have the policy, orchestra conductor and strategy we can never go where you want to go.”

This role of “orchestra conductor,” according to Fields and former Undersecretary of Defense For Policy James Miller, should exist outside the scope of the National Security Council.

During the Obama administration, White House cybersecurity adviser Michael Daniel seemingly played this so-called “orchestra conductor” role. Daniel’s job often involved managing the vast bureaucracy of government to further both defense and offensive missions.

McCain subsequently asked the panel of speakers to submit a list of recommended individuals for this position. It remains unclear if or when the Trump administration will fill Daniel’s vacant post, since he left the White House in January.

“I am not convinced a mass reorganization is appropriate, certainly at this point in time. I look toward an integrating body,” Miller explained.

He added, “One option which I believe should be considered is to build out from the so-called CTIIC, or Cyber Threat Intelligence Integration Center … [we should] look to build towards the National Counterterrorism Center model if not to the joint interagency task force model.”

Founded in 2003 as part of the Office of the Director of National Intelligence, the McLean, Virginia-based National Counterterrorism Terrorism Center brings together specialists from several federal agencies, including the CIA, the FBI, and the Defense Department, to focus and synchronize interagency investigations into suspected terrorists.