Our New Cybersecurity Strategy: An Acronym Firewall

A couple weeks ago, I had a brief tour of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which probably isn’t quite as snazzy as U.S. Cyber Command’s Star Trek–inspired bridge, but looks more or less like the movies have programmed you to expect: A long wall filled with enormous screens displaying maps with each state’s self-assessed “cyber threat level”; the volume of traffic to various government networks, and even one for NCCIC’s Twitter feed. It’s not clear that this setup serves much functional purpose given that the analysts working there are already using three-monitor workstations, but let’s face it, taking tour groups reared on Hollywood’s version through a non-descript office would be a little anticlimactic.  Which is to say, while the folks there are clearly doing some useful work, there’s an element of theater involved.

So too, it seems to me, with our political approach to cybersecurity more generally. The Washington Post reported Tuesday that the Obama administration plans to create a new Cyber Threat Intelligence Integration Center (CTIIC) within the Office of the Director of National Intelligence, which will join NCCIC and USCYBERCOM, as well as an array of private ISACs (Information Sharing and Analysis Centers) and CERTs (Computer Emergency Response Teams) on the digital front lines.  If firewalls made of acronyms could keep malware out, we’d be in fantastic shape.

The immediate reaction from both policy and security experts could best be described as “puzzled.”  After all, for several years we’ve been told that the Department of Homeland Security plays the lead role in coordinating the government’s cybersecurity efforts, and isn’t information sharing and integration pretty much what the NCCIC is supposed to be doing? That’s what it says on the tin, at any rate.  What, exactly, is supposed to be the advantage of spinning up an entirely new agency from scratch to share that mission?  Why would you house it in ODNI if your primary goal is to coax more information out of a wary and skeptical private sector?  Is there even good evidence that inadequate information “integration” is significantly to blame for the poor state of American cybersecurity? Our intelligence agencies, to be sure, could be doing a better job of sharing threat information with the private sector—but their own notorious culture of secrecy seems to be the limiting factor there. Even the White House’s own former cybersecurity coordinator, Melissa Hathaway, told the Post that “creating more organizations and bureaucracy” was unlikely to do much good.

My slightly cynical suspicion: Cybersecurity is just fundamentally hard, and given that it depends on the complex practices of many thousands of private network owners, there’s just not a whole lot the government can do to drastically improve matters—beyond, of course, being more willing to share their own intel and hardening the government’s own networks, which they don’t seem to be terribly good at. But cybersecurity is a Serious Problem about which Something Must Be Done, and so like the drunk in the old joke—who lost his keys in the dark, but is searching for them under a streetlamp because the light’s better there—we make a great show of doing the things government is able to do. And since internal tweaks designed to make existing agencies do those things more effectively won’t make headlines, thereby assuring the public that someone is on top of the problem, we get another spoonful of alphabet soup and another Hollywood command center to do the same thing with even bigger and more impressive wall monitors.  But as Amie Stepanovich of Access aptly told The Hill: “You don’t necessarily get your house in order by building new houses.”