Fighting Hackers One Acronym at a Time
Maybe the tangled web of our bureaucracy will entrap them.
Give a warm welcome to the newest member of the U.S.'s national cybersecurity family, the mellifluously named Cyber Threat Intelligence Integration Center.
The new agency, unveiled yesterday, will be modeled on the National Counterterrorism Center and designed to share information about cyberthreats. It's expected to employ about 50 people with a budget of $35 million. That may not sound like much, as these things go. Until you remember just how vast and convoluted the federal cybersecurity bureaucracy already is.
For just a small sampling, consider that the Pentagon's Cyber Command protects the military, the National Security Agency protects sensitive government networks, the Department of Homeland Security helps protect critical infrastructure, the Federal Bureau of Investigation pursues cybercriminals and spies, departments and agencies across the government protect their own networks, and the White House watches over things with a cybersecurity coordinator and a Cyber Response Group.
All of the above, of course, want more money and bigger staffs. President Barack Obama's new budget asks for $16 billion to shore up digital defenses, after years of already intensive investment. The Pentagon alone spends about $5 billion on cybersecurity a year, not counting a doubtless ample classified budget. If you're a contractor, you don't need a weatherman to know which way the wind's blowing.
Now there is the CTIIC. It will be part of the Office of the Director of National Intelligence -- which already has a cybersecurity team -- and will seek to integrate the information pouring in from all points, to get a sense of the bigger picture.
Sounds great in theory. But two questions suggest themselves.
First, will yet another acronym really help organize this proliferating bureaucracy? The White House should clarify, for example, how this new fiefdom will differ from (or work with) the National Cybersecurity and Communications Integration Center, one of five divisions of the Homeland Security Department's Office of Cybersecurity and Communications. The NCCIC describes itself as "a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement." This sounds an awful lot like what the new center expects to be.
Second, what rules will govern this new apparatus? If it's to straddle the line between intelligence and law enforcement -- and between the government and the private sector -- it will quickly have to confront the familiar tensions between civil liberties and security. Convincing the public that it won't wantonly snoop on personal information, share it too widely or use it for some undeclared purpose won't be easy in an age of surveillance skepticism.
Finally, the parallel with fighting terrorism that the White House has invoked seems wrong. The NCTC has indeed done a good job of harmonizing the nation's intelligence operations. But transparency with the public matters a lot more in cybersecurity than in counterterrorism, while borders and nationalities typically matter less. Sensitive civilian information is more likely to come into play. And cybersecurity encompasses such a diverse spectrum of behavior -- vandalism, petty crime, industrial espionage, state-sponsored attacks -- that it requires a much more flexible and open approach than tracking down al-Qaeda.
Again and again, the government has responded to digital threats by asking for more money and more people. This hasn't been a notably successful strategy. The White House needs to explain why one more agency, and another line in the budget, will finally do the trick.
To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at firstname.lastname@example.org.