Who Owns Cybersecurity?

There is a government brawl underway over cybersecurity.

The Department of Homeland Security’s National Cyber Security Center (NCSC) is legally responsible for cybersecurity for nonmilitary parts of the government. It is also supposed to help state and local government and the private sector protect their networks. But Shaun Waterman reports that the guy running that center just quit because the National Security Agency (the wiretapping intelligence agency) was basically running his office and taking over its function.

According to Walter Pincus’ article in today’s Washington Post, Strategic Command (the nuclear weapons command) is in charge of offensive cyber attacks and defending US military networks from cyberattack. But the NSA oversees Stratcom’s cybersecurity activities, somehow or other.

The White House is conducting a 60-day cybersecurity review, which is being led by an official in the office of Admiral Dennis Blair, Director of National Intelligence. Blair wants a bigger role for U.S. intelligence agencies in cybersecurity. Presumably that means the NSA, which employs some of the nation’s leading cryptographers. Meanwhile, Obama is likely to give General Keith Alexander, head of NSA, his fourth star and make him the White House’s cybersecurity coordinator (aka, the cyberczar).

So it sounds like the review may be moot – the decks are stacked for the NSA to take over. The Federal Times, however, reports that Congress may upset those plans.  Congressmen on the homeland security committee still want DHS in the lead.

What about private networks? The White House Review will address that too. Alexander has said that the NSA should play a role. But right now, according to most people, it’s DHS’s job. Pincus writes, “Responsibility of protecting civilian networks currently rests with the Department of Homeland Security.”

I would have thought it rests with the network operators. Missing in this debate, from what I can tell, is any attempt to outline what public goods are at play. Clearly, the federal government should defend its own networks. (Whether it should do so through the leadership of agency recently engaged in vast illegal activity is less clear.) The feds should probably also collect intelligence about cyberattacks, make it available to the public and pursue perpetrators. But providing security to private entities, through technology transfers or consultation, seems akin to providing locks to homeowners. That may be too simple – and the relevant distinction may be whether we are talking about state or non-state threats – but it’s something that the review should consider.

Here’s more on the great cybersecurity freakout.