The way that U.S. government agencies respond to cyberattacks against the private sector from nation-state or other high-level adversaries is “fundamentally flawed” and needs to change, outgoing NSA Deputy Director Rick Ledgett said Tuesday.
Ledgett, the latest addition to a growing list of cybersecurity officials and former officials who have called for the nation’s cyber responses to be overhauled, mocked existing response plans at an Aspen Institute luncheon roundtable hosted by former Justice Department senior official John Carlin.
“The analogy a colleague of mine uses,” Ledgett explained, “is … if your house catches on fire, you have to call the mayor to see if he’ll let you call the water department to ask them to turn the water on. And then you call the city council to see if you can get funding for the fire department to send a truck. And by the time that’s all happened, your cyber house has burned to the ground.”
Ledgett, who announced his upcoming retirement earlier this year, described how, under current law, whenever the technical expertise of NSA personnel is is needed outside of the military and intelligence agency networks it normally protects, there is an involved legal process.
“Every study we’ve ever done of government’s response in cyber says we need two things: integration and agility,” he said. “I think you can make a pretty compelling case that the current way we do that has neither of those.”
“Currently,” Ledgett continued, “The largest cadre of cybersecurity knowledge in the U.S. government is within the Department of Defense — NSA and Cyber Command — and it’s really difficult to apply that to the private sector or to critical infrastructure.”
“Any solution that doesn’t let that happen with some degree of agility while still respecting the appropriate [restrictions on the] role of the intelligence community and the role of the military in my mind is fundamentally flawed.”
The process requires a legal document called a “request for technical assistance,” he said, which has to go up the chain of command in the civilian agency requesting the help — normally the Department for Homeland Security — “and across to [the Department of Defense] and then down to the NSA.”
“Our adversaries are moving at cyber speed, we’re moving at policy speed,” he said.
“There’s lots of time spent moving paper around between lawyers which could be more profitably spent onsite” working the intrusions, he said. Absent “heroic efforts” by those involved, “that model clearly is not one that’s going to be successful going forward and we need something different,” he concluded.
Moderating the lively discussion, Carlin — who recently left the post of assistant attorney general for national security at the Justice Department — asked whether Britain’s decision to create what he called “a one-stop shop for cyber defense,” could be a model.
“I think we should look at that model and consider it and learn from our close partners in the U.K.,” said Paul Abbate, the head of the FBI’s Criminal, Cyber, Response and Services Branch. “It’s something we might want to move towards.”
“A single voice from the government for the private sector,” said Ledgett, “helps with the agility of defensive responses.”
“I think the idea of an entity that has people who can leverage all the different authorities of the different components of the government and can apply those authorities without having to go back to headquarters for a mother-may-I — within some kind of constraints — has merit,” he added.
Carlin, now an attorney in private practice, said he did not think that Ledgett was alone in his critique.
“I hear the same thing again and again [from private sector] … they don’t feel right now the government has the resources to [give them] the help they need,” Carlin said.