Like the Office of the Director of National Intelligence, But for Cyber

The U.S. is in a 'war' for cyber talent, and in our opinion, we are in danger of losing it. 

We are not talking about the benign sort of competition for that talent that occurs between companies and government agencies in the overheated U.S. labor market, although that's not unimportant. Rather, we are talking about the development and deployment of U.S. cybersecurity professionals to protect our country's national security interests, especially vis-à-vis those of geopolitical rivals like Russia and China, Iran and North Korea, and their extralegal proxies. 

Simply put, our adversaries are producing and using more cyber talent than we are, and that talent translates into more cyber capability, especially the national security kind…at least potentially. And while we can close some of that gap from a qualitative standpoint—we have some of the world's smartest people protecting us—and have done so to date, that may not be enough. As the U.S. and its allies become more and more digitally dependent—and more and more digitally vulnerable as a consequence—we should all be worried about ensuring that our country has the cybersecurity talent and concomitant capability and structure to protect us. And that means having enough skilled cyber professionals, in both private and public sectors, to stand watch over the U.S. government's data, systems, and networks, including but not limited to those that are classified. 

But in the case of cybersecurity, it's even more complicated than that…it also means having the cyber talent and capability and structure to protect all of the Nation's critical information and communications technology infrastructure, most of which is owned and operated by our private sector. That is the underlying focus of a congressionally mandated report just issued by the National Academy of Public Administration, and we have some thoughts about its recommendations.

Developing the nation's cybersecurity workforce

Simply put, it is our view—as well as the NAPA Report's—that the U.S. is not developing and deploying enough of the skilled cyber professionals we need to protect and pursue our national interests broadly defined, and the report recommends that among other things, the new National Cybersecurity Director—former National Security Agency (NSA) Deputy Director Chris Inglis is the first to have that illustrious title—should oversee a national effort to achieve that lofty goal from his perch in the Executive Office of the President.

While that is certainly a good start, we are not sure that this ultimately goes far enough. In our view, trying to lead and more importantly, sustain such an effort from the EOP, as politically charged and resource constrained as it usually is, will almost certainly result in suboptimization, and we strongly suggest that cybersecurity leadership from the White House be augmented by a more expansive—and in our view, ultimately a more sustainable—approach, one born out of our experience in setting up and leading the Office of the Director of National Intelligence. 

ODNI was tasked with overseeing a similar effort by the Congress in the Intelligence Reform and Terrorism Prevention Act of 2004, in hopes of preventing another 9-11. And it did so with a politically compromised structure that was neither central bureaucracy nor a "czar" based in the White House. The fact is that it worked, at least after a fashion (primarily because of the unsung efforts of its dedicated staff), but in so doing, it may just have created a new organizational model, one that in our view, a cyber czar in the White House desperately needs.  

Why is this important? Because as the NAPA Report points out, the nation's cybersecurity—and the development of a second-to-none U.S. cybersecurity workforce that serves its interests—is perhaps the ultimate in team sports, requiring the cooperation and collaboration of a whole host of federal, state, local, non-profit, and private sector actors. As a consequence, its structure, and the direction, authority, and control over such things as budgets and personnel, really matters. Indeed, it may be the difference between the success and failure of the National Cybersecurity Director, at a time when few things are more important to the security of our digitally dependent Nation.

Why not the National Cyber Director?

As noted, the NAPA Report would put the National Cybersecurity Director in charge of developing a national cybersecurity strategy that is grounded in a strong, capable cybersecurity workforce. What does that mean, exactly? In our view—and we have some experience in the matter—it means coordinating the efforts of a host of actors across the private sector, academia and state and local government that have historically resisted federal control. Even federal agencies can be resistant to centralized authority, protecting their own bureaucratic interests even in the face of a "whole of government" imperative like cybersecurity. 

In our view, tasking a White House czar to herd cybersecurity policy, strategy, and operations is a true mission impossible. There are too many examples of this—the diminutive Office of National Drug Control Policy is perhaps the most obvious—to count. The sad fact is that even when it may be in the national interest, few will salute (or succumb) to White House direction, particularly if it means subsuming their own parochial interests to that direction. 

Bottom line: That stick doesn't work for the cybersecurity enterprise. 

In our cynical view, the carrot won't work either. In this case, the carrot is money—the promise of federal funds as an incentive to do the NCD's cybersecurity bidding, in coordination with the Office of Management and Budget. While all of the various independent and semi-independent actors involved in that effort will gladly take federal funding, that funding comes from a variety of sources. At least seven federal agencies have grant programs in this area, not to mention funding from state and local governments, school districts and schools, public and private donations, colleges and universities, etc., and while they all seek to incentivize cybersecurity generally (and cybersecurity education specifically), the devil's in their details, and the NCD's small staff can hardly be expected to herd all of those cats. 

What about a Department of Cybersecurity?

If "authority, direction, and control" over the development of the nation's cybersecurity workforce and broader cybersecurity operations cannot effectively come from a small office in the EOP, why not apply the Department of Homeland Security model and put all of the relevant agencies under one bureaucratic roof? 

It should be obvious that this other extreme is just as problematic. Indeed, one need only look at the challenges that have faced DHS since its mega-merger inception to question the efficacy of this approach. That is not a criticism of DHS, just a fact. It is therefore fair to ask whether the nation's cybersecurity can benefit from a mega-merger of existing capabilities and programs.

We think not. Cybersecurity depends not only on achieving "horizontal" unity of effort among the federal agencies that have a piece of the cybersecurity mission, but also building and unifying a "vertical" coalition as well, among all the public and private institutions and organizations that have some influence over cybersecurity.

All of those entities have something to do with the development of a U.S. cybersecurity strategy and a workforce to execute it, and they are all independent—not only legally but also in mindset—and the political and pedagogical complexities in achieving that unity of effort amongst them, whether by persuasion or by direction, are simply mind-numbing.  

Our Proposal: the 'Goldilocks' solution

So, if a White House czar on one hand, and a centralized Department of Cybersecurity on the other won't work, what do we suggest? In our view, challenges like cybersecurity, and the development and deployment of a national cybersecurity workforce as a subset of that challenge, simply do not lend themselves to a hierarchical, command-and-control model emanating from Washington, D.C.

We saw that play out first-hand with the Congress's creation of the Office of the Director National Intelligence, which shied away from establishing a Department of Intelligence that mirrored its contemporary DHS cousin, in favor of something that was more federated in nature. That structure was established largely by default, to try to integrate the intelligence community without disturbing the jealously guarded statutory authority and control that cabinet secretaries—especially the secretary of defense—have over their intelligence agencies. 

Congress attempted to do both with ODNI, and one can argue that that compromise had (and has) its faults. But the dedicated leadership and staff in ODNI managed to make that structure work, if not optimally, then at least better than top-down bureaucracies like DHS. Indeed, we used to compare notes with our DHS colleagues, who lamented the practical limitations of simply telling the Department's components what to do, only to have them do what they wanted. 

We recommend a similar model for cybersecurity and the development of a supporting national workforce. Such a structure acknowledges the whole of nation nature of the cybersecurity mission (including the development of a national cybersecurity workforce); realizes that collaboration, rather than hierarchical direction, is the key to achieving any sort of unity of effort in that regard; and institutionalizes that effort in a single organizational hub that is insulated from the political football that is the EOP.

That model must be sized to do its strategic job: not with the thousands of "headquarters-knows-best" staff that come with a mega-department merger; but more than just a handful of experts in the EOP who can only issue platitudes and principles. 

In other words, for better or worse, an ODNI-like structure that can integrate the horizontal and vertical efforts of all of those public and private entities that have a role to play in that regard, big enough to be able to provide the strategic guidance and oversight necessary to achieve that end, but not so big as to be tempted to try to direct or control all the entities involved in safeguarding cybersecurity.

Ronald Sanders is staff director of the Florida Center for Cybersecurity.

Mike McConnell is executive director of the Florida Center for Cybersecurity at the University of South Florida.