Public-Public Partnerships: Cyber Intelligence Coordination Within the Department of Homeland Security
A new cyber intelligence sharing paradigm within the Department of Homeland Security has the
Published by The Lawfare Institute
in Cooperation With
The Department of Homeland Security is an expansive agency, responsible for counterterrorism, protection of critical infrastructure, cybersecurity, and much more. Because of its broad set of responsibilities, many experts and lawmakers claim that the agency is too widespread, too decentralized, and too unwieldy and that it needs to be dismantled. Fully deconstructing the department would be quite the task and is perhaps unrealistic. However, it is worth finding efficiencies across several of the department’s responsibilities—specifically in the cyber domain—to improve the safety and security of the American public.
The Department of Homeland Security has three components with significant cyber missions—the Cybersecurity and Infrastructure Agency (CISA), Immigration and Customs Enforcement/Homeland Security Investigations (ICE/HSI), and the U.S. Secret Service (USSS). (Some might include the U.S. Coast Guard in this list, but due to its attachment to the Department of Defense, I am excluding it from this discussion.) These three agencies have overlapping and adjacent missions and authorities in the cyber domain but often do not collaborate on specific cases or incidents—especially in their field offices. The Department of Homeland Security should do more to harness its collective power and showcase how a unified department can operate and succeed. The department should seize this opportunity and create a new paradigm: strategic cyber intelligence hubs.
Perhaps more importantly, or more urgently than Homeland Security efficiency, the effects of cyber threats are increasingly spilling into the physical world—hospitals are being taken offline, people are losing their hard-earned money to ransomware and other cyberattacks, water and utility plants are being targeted, and much more. The blurring of lines between attacks in cyber and physical domains does not exactly match how many government agencies are organized to prevent potential threats. Most, if not all, deal with cyber threats distinctly from physical world threats. Therefore, the skills needed to prevent, investigate, respond to, and move on from the different types of attacks are also distinct. For example, protecting a local bank branch is different from protecting the bank customers’ digital files. But an attack on those files can affect the customers, so the bank must invest in both types of security and be able to rely on government help to find a bank robber who appeared in the branch’s lobby with a gun or a criminal who stole funds using a computer—or both of those criminals who might be working together. This distinction—while understandable—does little to help Americans stuck trying to figure out how to defend themselves or their small businesses in the face of endless attacks from sophisticated criminal organizations and nation-states with advanced offensive cyber capabilities.
The Department of Homeland Security is uniquely positioned to harness the powers of its disparate missions to better understand cyber threats and the context that surrounds them, and then to inform the American public to improve their security.
The Department’s Opportunity
So how can the Department of Homeland Security build a new paradigm to counter emerging threats and adapt to a newer bureaucracy? As mentioned previously, the department has three components with missions that focus—at least in part—on cybersecurity. It remains unclear to what extent the components coordinate or cooperate in their investigations or outreach with each other, private-sector partners, international partners, and other federal agencies, but, at best, collaboration seems to occur in an unstructured and/or informal manner.
CISA, ICE/HSI, and USSS have experts across the cyber and physical domains. While there has been a great push to force government and private industry to collaborate and cooperate, no forum currently exists that encourages or mandates collaboration within government across disciplines from an investigative or intelligence analysis perspective. The Department of Homeland Security can create this space to promote the exchange of ideas and strategies across its different components to ultimately improve cybersecurity for the American public. If successful, the department could set an example for other government agencies to promote cooperation and collaboration within and across different departments—beyond Homeland Security—to better American lives and security.
The Proposal
To harness the specialized skills of CISA, ICE/HSI, and USSS—in addition to the expertise of enabling components like the Department of Homeland Secrity’s intelligence arm, the Office of Intelligence and Analysis, and its Science and Technology arm—the department should embrace the formation of “strategic intelligence hubs” within its field offices to improve safety in cyberspace for the American public.
First, the department should evaluate its CISA, ICE/HSI, and USSS field offices and determine which of them offer an expertise in specific criminal or national security threat pathways such as ransomware, money laundering via cryptocurrency, or fraud. Those field offices could be named strategic intelligence hubs (SIHs) and be charged with building rich operational and strategic intelligence portfolios related to these crimes that could then be leveraged by other field offices as crime migrates across geographies. At present, information may be siloed for investigative or intelligence purposes or exist in large, uncurated pools that make it less useful for analytic purposes. Depending on the situation, these offices could share information with other relevant field offices across Homeland Security components to better address potential cyber threats with physical effects on critical infrastructure and, more generally, American life. This new approach would tailor analysis around certain criminal pathways as opposed to creating a repository of all cyber threat-related information. For example, if small businesses in a northern California county are falling victim to business email compromise (BEC) scams, rather than CISA, ICE/HSI, and/or USSS looking at their entire siloed universe of cyber threat indicators or even the universe of relevant intelligence about recent BEC patterns, an SIH in a USSS field office that has been curating relevant intelligence about BEC from all three components could quickly provide relevant information to incident responders or investigators and perhaps even quickly link it to criminal activity in another jurisdiction or even prevent the next attack.
As threats evolve, new SIHs can be created and outdated ones can be dissolved, so as not to waste any government time or resources. By maintaining and creating relevant SIHs to address current and potential threats, the Department of Homeland Security would make intelligence sharing between its components much more efficient. This would also safeguard against a potentially deadly lack of communication between Homeland Security offices simply because they are not designed to be in direct, constant contact with one another. Because of increased efficiency, the sharing of information between components via these hubs will likely maximize intelligence value, since it will be actionable more quickly. But there are even more benefits to their creation beyond just increasing intelligence value.
First, SIHs would break down institutional barriers within the Department of Homeland Security because they would encourage important collaboration, while also strengthening the Office of the Secretary in an agency where the operational components notoriously wield a great deal of power. As components coordinate and cooperate with each other more readily, they begin to act as a more cohesive department and the secretary can more easily present a unified picture of what the department is doing. Additionally, senior-level policymakers would have access to a clearer intelligence picture when they interact with other senior leaders to make national-level policy decisions. Homeland Security can achieve these gains without creating any new structures within the department or creating a need for more resources because the structures already exist. The SIHs would just give field offices the ability to share, collate, and distribute information using their existing authorities and bureaucracies.
Perhaps most importantly, though, the creation and implementation of SIHs would allow components—and more broadly the Department of Homeland Security—to organically foster expert cyber cadres within their field offices. Key cyber talent could be attracted to the Department of Homeland Security to hone their craft targeting a specific cyber threat in one component where they can really sink their teeth into combatting a mission-specific problem, while also interacting with other experts working on different issues at SIHs. This exposure to other potential threats at SIHs could serve as an on-ramp to building the cyber talent pool that the department needs to maintain its edge against the shifting sands of digital criminal operations.
The Payoff
Some observers might view this idea as simply another attempt to keep a sprawling Department of Homeland Security bureaucracy intact. Despite these concerns, the implementation of SIHs could be a real game-changer for the department’s efficiency and success. For example, say a single foreign criminal gang uses ransomware to attack American victims in three geographically distinct places (such as Maine, Texas, and Oregon). Department field offices in those three places would likely begin investigating those crimes separately, even though the crimes themselves are linked. They might spend days or months piecing things together, not knowing that their colleagues in other states are working on the exact same puzzle. An SIH would provide a core repository of the latest intelligence that multiple components could access simultaneously, thus allowing investigators and cyber first responders to quickly piece together a complex criminal puzzle involving multiple victims in dispersed locations. Additionally, this crucial ability to quickly assess the scope of potential victims from a criminal pathway and understand the evolution of a criminal actor based on information from multiple agencies may be enough to coax famously hesitant federal investigators into sharing a bit more information with their partners in a manner that won’t be detrimental to their ongoing case files and could increase their likelihood of solving cases with evidence useful at trial.
Building these hubs would also be largely beneficial for the American people. The creation and implementation of SIHs would make it possible to take into account each separate component’s operational needs to ensure that investigations and eventually prosecutions are not affected by unnecessary disclosure of investigative information. At the same time, the American public’s privacy and civil liberties would be maintained without expanding the federal bureaucracy or granting investigators additional authorities to obtain more information about the public.
Safety and security in the cyber domain may well turn out to be the defining security problem of this generation. It is important to take steps now—such as by creating SIHs—to position the Department of Homeland Security for future success in an evolving cyber landscape.