A senior NSA official told the American Enterprise Institute last week that the U.S. should consider combining parts of the National Security Agency, Department of Homeland Security, and Federal Bureau of Investigation/Department of Justice into a single organization.
That official, Curtis Dukes, seemed to imply that such an organization should be under the control of NSA, referencing the United Kingdom, whose National Cyber Security Centre is operated by General Communications Headquarters, the UK’s equivalent to NSA, as a model.
These arguments surface periodically. They are based on capability (NSA has the best network defenders) and efficiency (coordination during a cybersecurity incident is hard!) They were muted by the Snowden controversy, given the damage to NSA’s brand. But it’s now clear the sentiments have not gone away.
I have no reason to believe these comments reflect Administration policy, and there is good reason to believe they are directly contrary to it. The White House released its cybersecurity incident coordination policy less than three months ago, and that policy calls for the departments to work together, not be merged into one agency. Administrations don’t usually reverse course so quickly. Trying to merge significant parts of separate agencies into a single new agency is also a bad idea at this point in time.
There are bound-to fault lines between government organizations, no matter how one draws the org chart. For example, if you establish a cyber defense agency, then you have necessarily separated physical infrastructure protection from cyber infrastructure protection. Reorganization could also cause significant new problems – for example, removing cyber law enforcement from the FBI would require massive duplication of capabilities and establish vast new areas for misunderstanding.
The problems with establishing a new cyber defense agency under the U.S. Department of Defense include:
- Reorganizing uses time and resources on bureaucracy rather than capability;
- Putting domestic cyber defense authorities under DoD, except in very exceptional circumstances, is contrary to the American system of government and would raise significant civil liberties issues;
- Therefore, if the U.S. did want to integrate into a cyber defense agency, it would likely be outside of DoD, which also doesn’t seem practical if defense of DoD networks is part of the mission;
- Reorganization would only further magical thinking that military has all the answers and can save the private sector, when building new government authorities, applying more resources, relying on private sector capabilities, and securing the ecosystem itself are necessary; and
- Such a reorganization would more deeply integrate DoD and private sector, with likely consequences for the competitiveness of US companies around the world.
That doesn’t mean, of course, that mechanisms for streamlining activity shouldn’t be developed, or that specifying who is in charge should not be more clearly defined. Indeed, one of the things that that was missing from PPD-41 was further detail on the topic of “who is in charge.” But severing cyber from DHS and possibly the FBI is not warranted.
Philip Reitinger has served as the President and CEO of the Global Cyber Alliance since December, 2015. GCA is a non-profit organization focused on eradicating systemic cybersecurity risks – risk by risk.
In 2009, Mr. Reitinger was appointed as the Deputy Under Secretary for the National Protection and Programs Directorate at DHS. He also served as the first Executive Director of the Department of Defense’s Cyber Crime Center, and as Deputy Chief of the Computer Crime and Intellectual Property Section at the Department of Justice.