The last two years have been rife with reasons to be concerned about national cyber security in the United States: From Edward Snowden’s leaks regarding NSA domestic and international surveillance, to the allegedly North Korean attack on Sony Pictures, to a recent Russian attack on a White House network, to the GAO’s “high-risk” listing on the terrible gaps in U.S cybersecurity. It should therefore come as no surprise that we find the U.S government flailing to haphazardly establish various and poorly connected initiatives in a desperate attempt to stay above water in a brave new world.
The latest step in these efforts is the establishment of the Cyber Threat Intelligence Integration Center. During a keynote at the Wilson Center in Washington D.C, assistant to the president for homeland security and counterterrorism Lisa Monaco said: “Currently, no single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers … and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats and threat actors. The CTIIC is intended to fill these gaps.”
The “gaps” to which Monaco refers are really tremendous chasms between U.S agencies like the FBI, CIA and NSA which traditionally don’t like talking to one another. In the golden age of espionage, this could be a good thing that aided national security. But in the information age, more information is better, and sharing is the only way to improve national safety.
With an increasingly large number of organizations dedicated to handling the daunting task of keeping the United States safe from outside attacks, it is all the more paramount that they communicate with one another and stay organized and transparent.
“In the cyber context, we need to share threat information more broadly and to coordinate our actions so that we are all working to achieve the same goal,” said Monaco.
Just another agency
But not everyone is convinced that the CTIIC is necessary, or that it will really accomplish its stated purpose. One new member in a sea of acronyms, the CTIIC is considered extraneous by some, or a potential excuse for the government to collate and collect private information: not worth the $35 million it will cost to establish.
Greg Nojeim of the Center for Democracy and Technology is one such skeptic, and has been quoted as saying: “Given the number of other agencies that have cybersecurity threat integration responsibilities, it’s not clear that a new agency is needed.”
Speaking with The Guardian Norjem added, “We are keen to hear from the White House about the measures it will impose to ensure that this new agency operates transparently, with effective independent oversight, and does not become a repository for personal information unnecessary to counter cyber threats.”
What’s more, the CTIIC follows a familiar template, and is modeled after the National Counterterrorism Center which deals with terrorist threats at home and abroad. The U.S government understands terrorism, and knows all too well how to fight it, and thinks that the same methods will help it to manage a cybersecurity crisis.
But the facts show this strategy is failing miserably. The CTIIC is not the first effort the U.S government has made in the last few years to improve public IT, as the government has already spent billions of dollars to manage the digital frontier – the Pentagon itself spends $5 billion every year on cybersecurity. And according to this month’s GAO report, national cybersecurity is still plagued by terrible problems, and words like “inadequate”, “inconsistent” and “partial” were used to describe the government’s efforts. Since 2006, the number of information security incidents reported by federal agencies to the US-CERT have increased by 1,121%
Cyber threats and terrorism are apples and oranges: both fruits, but of completely different kinds. The U.S government is trying to manage a 21st century problem with 20th century solutions, much as the FCC has done by trying to regulate the Internet as utility. Leading technology companies are feeling the brunt of these moves, and Verizon released a satirical statement in morse code regarding the FCC’s new rules to emphasize the inadequacy of outdated methods where new problems are concerned.
So is the CTIIC good or necessary? Perhaps, with proper oversight, it could marginally improve the existing nature of U.S cybersecurity. But perhaps the time has come to stop thinking of ways we can glue the old system together, and come up with something better suited for the decidedly unique threats of the modern world.