The Defense Bill Could Rewrite How the US Does Cyber Defense

A new Office of Joint Cyber Planning proposed in an amendment to the 2021 defense policy bill aims to help government and private actors respond more quickly to cyber attacks mounted from Russia, China, and elsewhere.

“The Office shall lead Government-wide and public-private planning for cyber defense campaigns, including the development of a set of coordinated actions to respond to and recover from significant cyber incidents” reads the amendment. It would allocate $15 million to stand up the office as part of the Cybersecurity and Infrastructure Security Agency, or CISA.

Today, companies are largely on their own for cybersecurity defense. Even in responding to big incidents, there’s little coordination between the government and the private sector.

Take, for example, the DNC hack of 2016. The U.S. government may have known as early as 2015 about Russians’ presence on servers belonging to the Democratic National Committee. Cybersecurity company CrowdStrike spotted unusual activity on those servers in May 2016. But it wasn’t until July 2018, nearly two years after the release of information stolen from the DNC, that the NSA announced the formation of a special group to counter aggressive Russian cyber activities. 

In short, there’s a lot of room for improvement in coordinating public and private cyber responses.

Making those improvements is essential to national security, especially as more adversaries rely on online operations to confront U.S. power, says Jonathan Reiber, senior director for cyber strategy at AttackIQ and a former chief strategy officer for cyber policy in the Office of the Secretary of Defense.

Reiber has written that better coordination isn’t just important for private entities looking to protect themselves but also the U.S. government, that is, if it’s going to live up to the idea of proactive cybersecurity in the face or Russian, Chinese, and other threats, an approach that Cyber Command calls “defending forward.”

“There has to be a level of integration between the Defense Department and these companies because the Defense Department is the only agency that has the authority to conduct operations abroad to blunt and block an incoming attack,” he said. “So the onus falls on Cyber Command to do that....But Cyber Command is going to struggle to do it because the cyber mission force is still growing and maturing and also adversaries can use multiple components of infrastructure all over the world to conduct an operation.”

In a future conflict, Reiber says, “the government would have to ask the private sector for help, so there has to be this kind of joint planning office. It really should focus on building up voluntary combined operations, which is different than the government demanding that the private sector do something through a mandate.”

The recommendation to create the office comes out of the Cyberspace Solarium Commission report so it already has broad bipartisan support.

Dmitri Alperovitch, a CrowdStrike co-founder who now leads Silverado Policy Accelerator, said that he supported the idea. “I do have concerns, however, about the remit of this office being too large and involving too many players who do not bring to bear unique capabilities in the digital domain. The best and most efficient structures are often ones that are small and nimble. I encourage Congress to consider scaling the concept of this office in its initial years down to its core mission and allowing it to expand in the future as appropriate."