The U.S. government ought to consider forging stronger ties between agencies that manage cybersecurity, including possibly unifying their cyber defense components in a single agency, the National Security Agency’s top cyber defender said today.
Combining aspects of NSA, the FBI and the Homeland Security Department into one cyber defense organization would give cyber defenders a clearer picture of what they’re up against when government computer networks are breached and it would speed up response times, Curtis Duke, NSA’s deputy national manager for national security systems, told an audience at the American Enterprise Institute.
“I’m now firmly convinced that we need to rethink how we do cyber defense as a nation,” he said.
Currently, NSA defends the government’s national security systems against cyberattacks. DHS is in charge of defending non-national security systems and the FBI investigates the criminal aspects of cyberattacks.
DHS typically requests NSA’s help when the government is responding to a major attack such as the 2015 breach of sensitive records about 21.5 million people from the Office of Personnel Management. But it can take days or even a week before government officials complete the paperwork to get NSA on site, Dukes said.
That means NSA investigators lose time and precious insights, he said.
Investigations are further delayed while the three major cyber departments figuring out who should take the lead and what their priorities are, he said.
“Who’s going to be in charge? Is it always going to be a criminal matter? Or, when it’s non-national security is it DHS and when it’s national security is it NSA?” he said, laying out the difficulty.
“By the time we get that all sorted out, we’re at a disadvantage when it comes to an adversary,” he said.
As a possible model for combining agencies’ cyber capabilities, Dukes suggested Britain’s National Cyber Security Centre where cyber defenders with the British spy agency GCHQ provide defense for the entire government.
Any realignment of cyber responsibilities that significant in the U.S. would require action by Congress. The Obama administration has made smaller moves to unify cyber operations, such as launching the Cyber Threat Intelligence Integration Center in 2015, which shares cyber threat information, such as known software vulnerabilities, throughout government.
Dukes also bemoaned the poor state of government cyber defenses during his speech at AEI and during a question and answer session that followed. He noted that all major U.S. government breaches during the past year relied on software vulnerabilities that were already known and could have been patched.
“In the last 24 months, OPM, [the Executive Office of the President] and the State Department weren’t particularly well protected, so the adversary didn’t have to use a zero day,” he said referring to software vulnerabilities that aren’t known by the manufacturer or by cyber defenders. “They could use a known exploit that they knew had not had a patch installed.”
Duke’s goal, he said, is to “raise the cost to the adversary. They’ll, then, have to start actually using zero days against us,” he said.
Dukes declined to say whether a collection of zero days and other hacking tools recently disclosed by a group called Shadow Brokers is the same collection allegedly stolen by former NSA contractor Harold T. Martin III who was arrested in August.
He noted that Cisco and other companies have patched vulnerabilities exposed by that leak.