Ushering in a Transparent Revolution in Cybersecurity – The Cipher Brief
Thomas S. WarrickNonresident Senior Fellow with the Middle East Programs Group- Atlantic Council
Javed AliTowsley Policymaker in Residence at the University of Michigan’s Gerald R. Ford School of Public Policy
Thomas Warrick was DHS Deputy Assistant for Counterterrorism Policy from August 2008 to June 2019 and is now Director of the Future of DHS Project at the Atlantic Council.
Javed Ali held senior counterterrorism positions at DHS, the FBI, the Office of the Director of National Intelligence, and the National Security Council. He is a Towsley Policymaker in Residence at the University of Michigan.
OPINION — Eyebrows were raised when the Biden administration initially chose veterans of the usually secretive National Security Agency (NSA) for all four top cybersecurity positions in the most diverse administration in U.S. history.
The two leaders who face confirmation hearings on Thursday—Chris Inglis as National Cyber Director and Jen Easterly as director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)—deserve confirmation by the Senate. They, along with NSA senior executive Anne Neuberger, the Deputy National Security Adviser for cybersecurity, and Amit Mital, who in April replaced NSA’s Michael Sulmeyer as senior director for cybersecurity, could be the right people to help lead what needs to be a transparent revolution in cybersecurity.
Given NSA’s reputation for secrecy, this might seem odd. In fact, what these NSA veterans share, apart from strong individual qualities, is their knowledge that what is needed now in civilian cybersecurity is significantly increased transparency and an emphasis on enhanced information-sharing. As national security practitioners, they know—as do we (between the two of us we have more than fifty years’ experience) that while secrecy has its place, especially in protecting sources and methods, it also has its limits. And given the need in cybersecurity for information-sharing, speed, and strong collaboration between the public and private sectors—a critical feature that sets cybersecurity apart from other aspects of national security—defaulting to a secretive and insular approach would be a mistake.
The first reason to expect a revolution in transparency is that strong cybersecurity requires a robust partnership between the government and the many technology stakeholders who own information technology infrastructure, platforms, and services that adversaries target.
Almost all the cyber infrastructure in the United States is outside the hands of the federal government, in the hands of private industry, state and local governments, academia, and other non-federal sectors. Conversely, much of the information about cyber threats or adversaries’ intentions and capabilities is in the hands of the federal intelligence and law enforcement communities. As both the Cyberspace Solarium Commission and the Future of DHS Project concluded, cyber operators in this non-federal space need high-fidelity, often classified intelligence to first identify threats to their networks and then to justify actions to their C-Suite executives to defend them. Increasing the speed of sharing is now vital. Recent attacks—like those against Colonial Pipeline and JBS Foods—show that government and private operators need to exchange information, including attribution, in real-time and at network speeds. Hostile nation-states and criminals will hold U.S. national security and prosperity at risk unless the federal government and private sector open up to each other.
Second, the federal cybersecurity enterprise needs the trust of the American people.
For the private sector and government to work together at network speeds, it is essential there be trust, communication, and a shared understanding of desired outcomes. This is one reason security veterans know that NSA is not the right agency to lead civilian cybersecurity. NSA is trusted within the government, but for historical reasons, not so much outside it. This is why the role of DHS’s CISA is so important, and why confirming Jen Easterly—whose career spans both cyber and non-cyber threats, and both the government and private sectors—is critical.
Third, to keep the people’s trust, civilian cybersecurity efforts—and the information that private citizens provide the government to help secure our networks—must never be used for partisan political purposes.
Like the military and the intelligence communities—from which NSA comes—the federal cybersecurity enterprise needs to be, to the greatest extent possible, nonpartisan and “above politics.” The same needs to be said about election security, another CISA responsibility.
The fourth aspect of the coming transparency revolution is that the federal cybersecurity enterprise needs to adopt—urgently—a consumer-focused side that the American people can trust and rely on for impartial advice on personal cybersecurity.
It’s good the federal cybersecurity enterprise works with corporations that provide our networks, social media platforms, and major software products. Increasingly, though, the American people need authoritative, understandable cybersecurity information.
In cybersecurity, every American is now on the front lines—targetable by hostile nation-states, confidence tricksters, criminals intent on stealing money, and those wanting to sow hatred and division. This reality totally upends previous concepts of national security and political economy. In a “bring your own device” world, your iPhone or Android phone can be exploited to target you and your workplace, school, or neighbors. You need to know which apps transmit personal data overseas to servers under the effective control of the Chinese Communist Party, or how to instantly recognize the telltale signs of Russian or Iranian disinformation. Your social media feed can be manipulated in non-transparent ways to change how you vote, shop, or even think. Government cybersecurity needs to communicate effectively with individual Americans protect themselves from cyber threats without turning us into a nanny state.
Fifth, and most importantly, cybersecurity needs to be re-scaled by government, by non-federal stakeholders, and by everyday Americans.
The finest cybersecurity policies in the world are useless if they’re not adequately resourced. No matter what you may think of NSA, it is one of government’s most successful examples of having learned the importance of scale.
The Cyberspace Solarium Commission said Congress must invest significant resources in CISA and the private sector needs to increase cybersecurity spending. Top cybersecurity experts Richard Clarke and Rob Knake found that successful companies spent 8% of their IT budgets on cyber defense. Today, most don’t. CISA’s current budget, enacted during the Trump administration, is $2 billion, plus $650 million added in President Biden’s Covid-19 relief bill. In March, House Homeland Security ranking Republican John Katko called for CISA to become a $5 billion agency. He is in the right ballpark.
The Russian “Sunburst” hack into SolarWinds in 2020 and recent ransomware attacks from Russian-based criminal groups show what capable, well-resourced adversaries can do against systems that are vulnerable to cyber exploitation. We should be deeply concerned about adversaries exploiting gaps and seams in the ability of overseas-focused agencies like NSA to collect cyber intelligence inside the United States. Just because there hasn’t been a “cyber Pearl Harbor” or a “cyber 9/11” doesn’t mean that one is impossible. It means only that we’ve been lucky—so far. Cybersecurity today takes serious resources, trust, and transparency. Swift Senate confirmation of Inglis and Easterly is essential to help bring this revolution about.
Read more expert-driven national security perspectives, insight and analysis in The Cipher Brief