Cyberspace Solarium Commission Co-Chair Sen. Angus King (I-ME) has “leaked” to us that the Commission is virtually unanimous in the desire to see government process for cybersecurity overhauled.
As we discussed in this space yesterday, that is a great, if not exactly novel, idea.
But as the old saying goes, every great idea eventually devolves into actual work. It is of course one thing to say let’s reorganize government and quite another to do more than rearrange the deck chairs.
If Congress, spurred on by the Solarium Commission, is actually going to reorganize government — as they should — so that it is more appropriate for the 21st century digital age (something that is already happening in industry —a whole other blog) then I’d suggest they follow three simple core principles:
Bust the turf, follow the money, and heal thyself.
Unless any reorganization effort follows these three principles, we are talking deck chairs. We have attached the section of our 2016 Cybersecurity Social Contract book, which provides greater detail as to how this can be done, but to summarize:
Any of us who have been around even a little while know that the dominant driver of government organization is not partisanship and it certainly isn’t policy — it’s turf.
When the ISA was founded in 2000, we literally had to explain to people — government and industry — that there was a cybersecurity problem beyond “Y2K” (ah, the good old days when problems could be easily solved — I digress).
Today cyber is a hot, sexy Issue. Virtually everyone wants to be the cool cyber guy. So virtually every congressional committee, every subsection of government agency, every state and locality want to put their own unique stamp on what we should do for cybersecurity.
This is a classic case of too many cooks in the kitchen. The result being irrational, inconsistent, largely uniformed and wasteful policy and practice. Exactly what we don’t need. Unless our policymakers are willing to realistically bust the governmental and agency turf and design streamlined consistent policy, then the reorganization effort will fail and likely be counterproductive. Just what we don’t need with the threat magnifying every day.
The second issue is money. The costs of cyber insecurity are hard to measure exactly but estimates range from the hundreds of billions to over a trillion or more globally each year — and increasing quickly. By comparison the DHS cyber budget is about $1 billion. That’s less than a couple of bucks individually spent on cybersecurity each year.
The notion that government can outsource its constitutional responsibility to provide for the common defense to the private sector is a specious dodge. As our National Infrastructure Protection Plan clearly articulates, government and industry have a legitimately different basis for doing cyber risk assessment (national security vs. commercial-level security). Government need to spend much more on this issue.
Aside from the needed increase in spending, as we describe in greater detail in the Cybersecurity Social Contract book, part of government reorganizing for the cyber would include reconceptualizing spending. Cyber investments need to be thought of as infrastructure investments, more like buildings than IT updates. Former Cyber Czar Michael Daniel understood this and tried to address it but ran into massive turf issues that prevented it. Maybe now is the time.
Moreover, we have this mass of uncoordinated government cyber programs which are a natural result of the uncoordinated policy apparatus — as Sen. King has noted. As we go through the necessary review of these programs that would naturally be included in any government reorganization, all these programs ought to be subjected to full cost-benefit analysis — a process we also describe below.
Finally, the Solarium Commission’s initial focus was to be on national defense and deterrence. Certainly, there is a private sector aspect to this since we all use the same internet, but we are already hearing sounds as if the Commission is swerving outside its lanes and getting deep into industrial policy such as manipulating the insurance market.
Space doesn’t permit a full detail of how bad an idea it is (really, really bad) for government to try to manage the cybersecurity market. Probably the biggest reason for government not to try to step in is because the major cyber insurance players are lightyears ahead of government in terms of understanding cyber risk.
In truth the idea that we need greater government involvement in the cybersecurity insurance market is simply another instance of attempts to amass turf. Government shouldn’t be manning the cyber insurance market — it should be learning from it. Major insurance providers are already implementing models for cyber risk assessment far more advanced than what government is typically using.
Before government decides to manage the far larger and more complex — and often more sophisticated — private sector on cybersecurity, it should get its own house in order. That alone would be a major accomplishment for the Solarium Commission.
Excerpt from the Internet Security Alliance Cybersecurity Social Contract (2016), Chapter 2, Recommendation 4:
4. GOVERNMENT NEEDS TO BE ORGANIZED TO REFLECT THE CURRENT DIGITAL REALITIES
Government’s credibility in educating, let alone regulating and mandating, cybersecurity in the private sector is clearly undermined by its lack of demonstrated ability to manage its own house.
The chaotic and disorganized governmental structures are not just inefficient but they also have serious downstream negative implications for the private sector and the citizens. Several years ago, the administration added a position of White House cybersecurity coordinator. But the position lacks the authority to command the resources needed to truly rationalize the federal cybersecurity policy and processes. (The federal government has made some progress on stronger leadership positions such establishment of the federal CISO.) As discussed in more depth in chapter 7, the position might need to be significantly upgraded to at or near cabinet level.
Much of government’s organizational problem emanates from the lack of responsiveness to the digital age. Speaking at the Council on Foreign Relations in June 2016, CIA director John Brennan says laws haven’t “adequately adapted to the emergence of this new digital frontier. Most worrisome…is that there is still no political or national consensus on the ap- propriate role of the government, law enforcement, homeland security and intelligence agencies” in safeguarding the online domain.10
Moreover, government needs to inject systemic rigor into managing its own programs, and the budgeting process, at least for IT spending. The budget cycle is two or three orders of magnitude slower than the threat we face.
No less authority than current White House cybersecurity coordinator Michael Daniel has made this case.11 “We’ve got architectures in various places (in the federal government) and hardware and software that is indefensible…We tend to treat these computer systems as these gigantic capital investments like buildings rather than an investment that you need to continually refresh and treat more like a revolving fund or a management budget,” Daniel, also a former OMB official, remarked.12 (Progress on this recommendation has been made through the 2017 Modernizing Government Technology Act.)
Today, getting funding for cybersecurity often requires the chief information security officer to convince his or her boss, usually a career bureaucrat chief information officer. That CIO, in turn, must persuade the political appointees of the project’s importance, especially when compared to spending directed to the agency’s primary mission. The funding proposal goes to the Office of Management and Budget, which evaluates it in terms of dollars, rather than risk. The White House may yet step in to change it for purely political reasons. Only then does it go to Congress. There, the proposal is examined by multiple committees whose staffs may have little real experience with cybersecurity. Maybe the proposal gets in the spending bill, unless there is a continuing resolution that merely extends the previous year’s budget with little or no modification.
This outlines a process that takes twelve to twenty-four months. But even with the money in hand, federal agencies must go through the cumbersome federal acquisition process. If the proposal results in a big contract, it almost inevitably will be hung up with a protest filed by a losing company. If everything goes exactly right, it could be at least two years from the time the CISO identifies a need to the time a solution is actually available. It should be no surprise that federal agencies have problems buying the technology they need.
Daniel’s idea of building a refresh mechanism into the process is a good one. Agencies should not have to go through the entire congressional budgeting process to get the funds to upgrade from Windows 7 to Windows 10. The case for major IT systems is not as clear but more important. Major automated information systems such as those the DOD requires are increasingly reliant on commercial-off-the-shelf solutions to save money. That’s a good thing except the money to upgrade them in five or ten years never materializes. That’s why contractors have to maintain outdated Windows 95 and XP in their environment to support the systems they provide to the government.
The one aspect of federal budgeting that needs to be carried over to the IT side is with respect to cyber insurance. When the government builds a physical infrastructure, it routinely requires the contractor to have insurance, but it doesn’t apply that same best practice to digital infrastructure. Doing so is sound risk management and could stimulate the cyber insurance market for the private sector, which is already a federal goal.
In addition, all current and future government cybersecurity programs ought to have clear objectives that are subject to a cost-benefit analysis. Programs need to be periodically evaluated, and if cost benefit cannot be demonstrated, then program needs to be reformed or canceled. If a reformed program still fails, the cost-benefit-analysis-test responsibility for the program should be shifted. If the program still cannot pass the analysis, it should be canceled.
Perhaps the most intrinsic factor complicating government’s ability to adapt to the digital age is its unwillingness to manage itself. It is only slightly hyperbolic to note that the most powerful force on Capitol Hill is not policy, or partisanship, or even money—it’s turf. Today there are seventy-eight congressional committees and subcommittees that have jurisdiction over DHS. Yet some areas of critical infrastructure receive no concentrated cybersecurity attention (see chapter 11 on the food and agriculture sector).
Congress itself is structured on an industrial-age model with its sector-specific committees and subcommittees (banking, energy telecommunications, etc.) These structures are in place not because they make sense for effective governing but because they make sense to the members who sit on them. A new president and a new Congress should seize the opportunity to reorganize government for the digital age. (Some progress on this objective has been made through the establishment of the Cybersecurity and Infrastructure Security Agency at DHS).
Finally, government needs to more fully integrate the private sector into its cybersecurity planning and operations.
While there has been lip service paid to the need for partnership for over a decade, the actual degree of partnership on cyber issues has been, at best, sporadic. The National Infrastructure Protection Plan lays out a useful model for how the partnership is supposed to work. Each critical sector has created a privately run sector coordinating council, and each lead government agency has a corresponding government coordinating council.
Some sectors operate better than others, but in the main, the exact roles for the various councils are ill defined, and actual projects tend to be run by various staff who are left on their own to define what the partnership process means. Too often this translates into little, if any, coordination and what coordination there exists is little more than pro forma consultation with the sector council.
Government needs to clarify the roles of the various councils and senior government officials and to train staff on how to operate a partnership process. Since industry is by far the dominant player when it comes to owning, operating, and defending cyber infrastructure, government need to treat industry as a full partner, not merely as one of many stakeholders.
Chapter 17 reports on a set of successful partnership programs and a mutual industry-government analysis of what constitutes best practices for success in managing partnership programs. These best practices ought to be officially recognized by government agencies and used as part of the employee evaluation system for officials charged with operating partnership programs.