While an increasing number of statutes and executive decisions organize agencies, allocate responsibilities and create inter-agency relationships, the current structure principally reflects historical and bureaucratic decisions by the agencies themselves rather than an overarching institutional design decision. As a result, the government structures for responding to cyber-threats are complex, with a number of agencies sharing authority in occasionally overlapping areas.
This chart, while by no means an exhaustive survey of government action in the realm of cybercrime and cyberwar, attempts to plot several of the major actors in those areas as well as the key relationships linking those actors together.
One consequence of this lack of centralization is the lack of agreed-upon categories and terms for discussing types and threats and forms of response.
Various government and private actors participate in preventing, detecting, and responding to various cyber-threats. Broadly speaking, these actors fall into four different categories:
- Cyber-specific federal agencies (e.g. Cyber Command)
- Defense and investigation agencies (e.g. Department of Defense, FBI, CIA, NSA, DOJ)
- Independent agencies with relevant concerns and vulnerabilities (e.g. Department of State, Federal Communications Commission)
- Private corporations
Under federal law, every agency has at least some cybersecurity responsibility: the Federal Information Security Management Act, U.S.C § 3541 et seq., requires the head of each federal agency to ensure compliance with information security standards promulgated by the National Institute of Standards and Technology (NIST).
One of the many uncertainties inherent in this discussion is how to go about classifying the types of responsibilities we want to allocate among the various federal agencies. The White House Cyberspace Policy Review (the 60-Day Review) notes that it considers "Cybersecurity policy" to include the following activities:
- threat reduction
- vulnerability reduction
- deterrence, international engagement
- incident response
- recovery policies and activities,
"including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure." The 60-Day Review offers no explanation of what each term might entail (and in fact this might just be a throwaway list), but this provides at least a starting point for thinking about the array of responsibilities agencies may be saddled with in addressing potential and actual cyber-threats.
- Negotiated cooperation
- De facto cooperation
A Government Accountability Office report discussing the Comprehensive National Cybersecurity Initiative sums up one of the major problems with the current organizational situation thus: "Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies."
The scarcity of official coordination between different government agencies raises a number of issues. Agencies may claim overlapping jurisdiction, leading to inefficient staffing and funding decisions (as well as inter-agency tension). At the same time, gaps in coverage between the jurisdictions of various agencies may emerge elsewhere. The inability of agencies effectively to share intelligence about possible threats in new technological contexts contributes to slower and less successful government responses.
As one example, this New York Times article describes how one hacker, Albert Gonzalez, was able to evade capture by the police for a number of attacks on different commercial websites while he was simultaneously under protection as a Secret Service informant.
Agency Organizational Strategies
The apparent weaknesses in the current agency structure suggest two major organizing strategies.
First, agency cyber-security responsibilities have largely evolved in a bottom-up manner as agencies often unilaterally expanded their spheres of operation onto the Internet. In some cases this approach resulted in seemingly natural allocations, such as the Department of Justice and FBI taking responsibility for investigating computer crimes. But in other cases the result was overlap between disparate agencies responsible for performing substantially similar operations. For example, the Department of Defense has its own investigative office — the Defense Cyber Crimes Center; the Secret Service adds a another layer of investigative authority with its Electronic Crimes Task Forces (which coordinate between federal, state, and local law enforcement activities).
Second, management of cyber-threats is still largely decentralized, though the Department of Homeland Security has slightly increased the degree of centralization (and it's still unclear how Cyber Command is going to fit into the agency framework). There is no cybersecurity version of the Director of National Intelligence to centralize agency information and activities relating to cyber-threats, nor is there a mechanism for determining who is initially responsible for responding to a newly-discovered incident or threat. Given the difficulty in identifying the actor behind a particular attack, interested agencies will be generally unable to classify the nature of an incident — criminal, espionage, terrorist, or something else — prior to commencing the investigation and response. In the absence of centralization, this means that agencies must decide among themselves who should mount the response — or that they will risk the inefficiency and inconsistency of multiple agencies independently acting.
Top-down vs. Bottom-up Allocation of Responsibilities
Centralization vs. Decentralization
The current system is extremely fragmented and decentralized: until the creation of Cyber Command, allocation of responsibilities happened by default or necessity. With the advent of Cyber Command, however, there is great potential to rectify the problems of fragmentation--but correspondingly, there are potential risks to concentrating power in one agency. There are a few options for centralization versus decentralization that a cyber-focused institutional structure could take.
- this structure would have almost no disruption in changing from the current system
- responsibility for responding to an attack would be allocated either to the first agency that is alerted or to the one that has the right technical tools
- there is less risk of agency over-reach into places like civilian networks, since practically speaking, no agency will have the tools, or perhaps agencies will check each other
- the practical allocation of responsibilities may make the most sense in a decentralized system, assuming that agencies have adopted issue areas that are close to their core missions (though this is not always the case)
- decentralization may breed creativity and more innovation in responding to attacks
- however, one problem is that responses might not always come from the right agency.
- under a decentralized structure, agencies may not share information (for an example of these flaws and a reaction to them, see pre- and post-9/11 counter-terrorism responsibilities)
- there may be competition among agencies to keep the best technical resources--agencies will not want to share with others if they want to take credit for handling more attacks
- overlapping responsibilities and inefficiency: there may be multiple agencies with the resources to respond to a certain kind of attack
- Leadership from the Cyber Command
Involving the Private Sector
Since the vast majority of critical Internet infrastructure is in private hands, the private sector clearly has a role to play in addressing cyber-threats, especially when it comes to ensuring the resiliency of our networks. But effective cooperation between government and the private sector is burdened by a variety of hurdles:
- Communication: Under the current framework, it's unclear how agencies and private companies should interact. For example, if a federal agency detects an intrusion into a private system, should that agency immediately notify the company? If so, how? On the flip side, if a private company detects an intrusion into its own systems, how do we ensure that an appropriate agency receives that information?
- Information sharing: This is closely tied to the communication issue. Government may be reluctant to share information with the private sector in general for fear of disseminating sensitive information (for example, sharing information about a detected intrusion may reveal the nature of the detection systems that are in place). The prevalence of multinational corporations further complicates this issue; U.S. agencies may be especially wary of sharing information with a company based in China, even when that information may otherwise address a security problem. And from companies' perspective, providing information to government agencies may be seen as a risky activity—they are likely to worry about sharing trade secrets, business strategies, and other sensitive data that may eventually leak out (some of which may be subject to FOIA requests absent clear exemptions). Companies may be similarly reluctant to provide information regarding recent or ongoing cyber-attacks.
- Coordination: How can government agencies work together with the private sector to proactively improve security and network resiliency?
The Enduring Security Framework
According to testimony by James N. Miller, Principal Deputy Under Secretary of Defense for Policy, "[t]he Enduring Security Framework is a public-private partnership between the Director for National Intelligence, DoD, the Department of Homeland Security, and the private sector; its goal is to provide a permanent forum for USG-industry dialogue."