Mediaboss Marketing

Thomas Warrick was DHS Deputy Assistant for Counterterrorism Policy from August 2008 to June 2019 and is now Director of the Future of DHS Project at the Atlantic Council.

Javed Ali held senior counterterrorism positions at DHS, the FBI, the Office of the Director of National Intelligence, and the National Security Council. He is a Towsley Policymaker in Residence at the University of Michigan.

OPINION Eyebrows were raised when the Biden administration initially chose veterans of the usually secretive National Security Agency (NSA) for all four top cybersecurity positions in the most diverse administration in U.S. history.

The two leaders who face confirmation hearings on ThursdayChris Inglis as National Cyber Director and Jen Easterly as director of the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA)deserve confirmation by the Senate. They, along with NSA senior executive Anne Neuberger, the Deputy National Security Adviser for cybersecurity, and Amit Mital, who in April replaced NSAs Michael Sulmeyer as senior director for cybersecurity, could be the right people to help lead what needs to be a transparent revolution in cybersecurity.

Given NSAs reputation for secrecy, this might seem odd. In fact, what these NSA veterans share, apart from strong individual qualities, is their knowledge that what is needed now in civilian cybersecurity is significantly increased transparency and an emphasis on enhanced information-sharing. As national security practitioners, they knowas do we (between the two of us we have more than fifty years experience) that while secrecy has its place, especially in protecting sources and methods, it also has its limits. And given the need in cybersecurity for information-sharing, speed, and strong collaboration between the public and private sectorsa critical feature that sets cybersecurity apart from other aspects of national securitydefaulting to a secretive and insular approach would be a mistake.

The first reason to expect a revolution in transparency is that strong cybersecurity requires a robust partnership between the government and the many technology stakeholders who own information technology infrastructure, platforms, and services that adversaries target.

Almost all the cyber infrastructure in the United States is outside the hands of the federal government, in the hands of private industry, state and local governments, academia, and other non-federal sectors. Conversely, much of the information about cyber threats or adversaries intentions and capabilities is in the hands of the federal intelligence and law enforcement communities. As both the Cyberspace Solarium Commission and the Future of DHS Project concluded, cyber operators in this non-federal space need high-fidelity, often classified intelligence to first identify threats to their networks and then to justify actions to their C-Suite executives to defend them. Increasing the speed of sharing is now vital. Recent attackslike those against Colonial Pipeline and JBS Foodsshow that government and private operators need to exchange information, including attribution, in real-time and at network speeds. Hostile nation-states and criminals will hold U.S. national security and prosperity at risk unless the federal government and private sector open up to each other.

Second, the federal cybersecurity enterprise needs the trust of the American people.

For the private sector and government to work together at network speeds, it is essential there be trust, communication, and a shared understanding of desired outcomes. This is one reason security veterans know that NSA is not the right agency to lead civilian cybersecurity. NSA is trusted within the government, but for historical reasons, not so much outside it. This is why the role of DHSs CISA is so important, and why confirming Jen Easterlywhose career spans both cyber and non-cyber threats, and both the government and private sectorsis critical.

Third, to keep the peoples trust, civilian cybersecurity effortsand the information that private citizens provide the government to help secure our networksmust never be used for partisan political purposes.

Like the military and the intelligence communitiesfrom which NSA comesthe federal cybersecurity enterprise needs to be, to the greatest extent possible, nonpartisan and above politics. The same needs to be said about election security, another CISA responsibility.

The fourth aspect of the coming transparency revolution is that the federal cybersecurity enterprise needs to adopturgentlya consumer-focused side that the American people can trust and rely on for impartial advice on personal cybersecurity.

Its good the federal cybersecurity enterprise works with corporations that provide our networks, social media platforms, and major software products. Increasingly, though, the American people need authoritative, understandable cybersecurity information.

In cybersecurity, every American is now on the front linestargetable by hostile nation-states, confidence tricksters, criminals intent on stealing money, and those wanting to sow hatred and division. This reality totally upends previous concepts of national security and political economy. In a bring your own device world, your iPhone or Android phone can be exploited to target you and your workplace, school, or neighbors. You need to know which apps transmit personal data overseas to servers under the effective control of the Chinese Communist Party, or how to instantly recognize the telltale signs of Russian or Iranian disinformation. Your social media feed can be manipulated in non-transparent ways to change how you vote, shop, or even think. Government cybersecurity needs to communicate effectively with individual Americans protect themselves from cyber threats without turning us into a nanny state.

Fifth, and most importantly, cybersecurity needs to be re-scaled by government, by non-federal stakeholders, and by everyday Americans.

The finest cybersecurity policies in the world are useless if theyre not adequately resourced. No matter what you may think of NSA, it is one of governments most successful examples of having learned the importance of scale.

The Cyberspace Solarium Commission said Congress must invest significant resources in CISA and the private sector needs to increase cybersecurity spending. Top cybersecurity experts Richard Clarke and Rob Knake found that successful companies spent 8% of their IT budgets on cyber defense. Today, most dont. CISAs current budget, enacted during the Trump administration, is $2billion, plus $650million added in President Bidens Covid-19 relief bill. In March, House Homeland Security ranking Republican John Katko called for CISA to become a $5billion agency. He is in the right ballpark.

The Russian Sunburst hack into SolarWinds in 2020 and recent ransomware attacks from Russian-based criminal groups show what capable, well-resourced adversaries can do against systems that are vulnerable to cyber exploitation. We should be deeply concerned about adversaries exploiting gaps and seams in the ability of overseas-focused agencies like NSA to collect cyber intelligence inside the United States. Just because there hasnt been a cyber Pearl Harbor or a cyber 9/11 doesnt mean that one is impossible. It means only that weve been luckyso far. Cybersecurity today takes serious resources, trust, and transparency. Swift Senate confirmation of Inglis and Easterly is essential to help bring this revolution about.

Read more expert-driven national security perspectives, insight and analysis in The Cipher Brief

Visit link:
Ushering in a Transparent Revolution in Cybersecurity - The Cipher Brief