Although the aftershocks of COVID-19 will last for years, one result is already clear — shifting more activity online has increased our society’s digital dependence even faster than expected. The federal government’s cybersecurity capabilities need to keep pace.
Although some Federal agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), have made significant improvements over the last few years, at least three factors impede government-wide progress. First, cybersecurity’s cross-cutting nature does not fit with the U.S. government’s bureaucratic structure. Second, agencies are not incentivized to sustain the degree of coordination required for effective cybersecurity. Third, a lack of central leadership hinders effective incident response. No single policy action will solve these problems, but creating a National Cyber Director along the lines of what the Cyberspace Solarium Commission recommends would be a good start.
Bureaucracies prefer issues that fit neatly into one organization’s mission. Cybersecurity is almost the exact opposite. It is a national security, military, intelligence, economic, public safety, privacy, diplomatic, law enforcement, business continuity, and internal management issue all rolled into one. It touches all federal agencies, with many of them a legitimate role in cybersecurity. Thus, cybersecurity is too broad for any single agency’s remit. Further, a normal bureaucratic response to such a situation, creating a “Department of Cybersecurity,” will not work either; cybersecurity is too integral to too many agency’s missions to centralize those functions in one department.
At the same time, cybersecurity’s different aspects are not independent — they interact with each other, sometimes in unexpected ways. Military cyber operations can disrupt intelligence activities or law enforcement investigations. Treasury sanctions could upset diplomatic negotiations. DHS personnel focus on mitigation, while the Federal Bureau of Investigation and Department of Justice concentrate on prosecution. Network defenders want information from the private sector, but many are worried about regulatory action if they share. Welding these disparate activities into an effective whole requires intense, regular, sustained inter-agency coordination. This coordination does not occur naturally in government: personnel have limited incentives to coordinate activities across departmental and agency lines. That’s not a moral failure or laziness, but the reality of human psychology.