Cybersecurity Does Not Need a Silver Bullet Agency

The United States is woefully unprepared for a “Cyber 9/11.” Addressing that danger must be a top priority for the U.S. Government, but it does not require a single “Department of Cybersecurity” as some have argued. Creating a new department would shuffle responsibilities, authorities, and people to such a degree it would set the country back at least a decade.

The lessons arising from the creation of the Department of Homeland Security (DHS) are pertinent. Establishing even basic agency functions in a politically-charged and bureaucratically-challenging environment is daunting. And bureaucratically challenging it would be—the agencies contributing people to the new department would fight the process, giving the department as few resources, authorities and good people as possible, and most likely leaving it hobbled on many levels. I remember hearing stories of DHS Secretary Tom Ridge making his own copies, and the difficulty DHS had in getting pencils and paper.

Even casting aside the difficulty of formation, creating a Department of Cybersecurity is not a good idea. It would be impossible to centralize all the authorities necessary for effective cybersecurity—technical, operational, investigative, intelligence, responsive, and diplomatic—into a single agency without massive duplication of the functions of the Departments of Defense, Justice, State, Commerce, and Treasury, and much of the intelligence community. The coordination challenges between like functions, such as between the newly-created cyber cops and the FBI and Secret Service, or between the cyber diplomats and the Department of State, would be orders of magnitude greater than the difficulties created by merely having to coordinate across agencies on cybersecurity.

More reasonably, Congress could create a centralized point of cybersecurity expertise on technical and operational issues, which are not the inherent responsibility of—for example—the Defense or Justice Departments. This, however, has already been done in the National Protection and Programs Directorate (NPPD) at DHS. The objection (fair or unfair) is that DHS is not as effective as it needs to be; Congress, therefore, needs to act to make DHS more effective in its cybersecurity mission. Fortunately, Representative Mike McCaul (R-TX) is leading efforts in Congress to make NPPD a much more independent organization within DHS, an “operational component” like the Secret Service, which can be given the responsibilities, resources, and independence to be effective.

Congress needs to take other steps as well. First, DHS must be given the authorities necessary to accomplish its mission. DHS authorities have improved but remain puny compared to those of the Department of Justice. DHS does have the authority to coordinate, but if we want it to do something more, then we need to make sure it has the authority to accomplish the mission. Second, Congress must fix the way it oversees DHS—or if that is too tall an order, at least how it oversees cybersecurity at DHS. In the neighborhood of 100 congressional committees and subcommittees have a role in this process. Anyone who has worked at a senior level at DHS or another U.S. government agency will tell you that congressional oversight at DHS is broken and an impediment to effective operation.

And old saw in cybersecurity is that there is no “silver bullet.” That usually refers to technology, but it is just as applicable to organization. A new department is not a silver bullet—it’s magical thinking that a new agency will solve every problem. Less extensive reorganization and real authorities will do much more with less disruption and delay.