April 14, 2021

Key Players in Cybersecurity


KEY TAKEAWAYS

  • Congress established the Senate-confirmed position of national cybersecurity director to help unify the work of dozens of federal agencies with cybersecurity responsibilities.
  • Responding effectively to the SolarWinds cyberattack and other threats will require significant coordination and communication among government agencies and the private sector.
  • Cybersecurity operations by the Department of Defense and intelligence community focus on our adversaries overseas, while other agencies deal more with domestic cyber events. 

The SolarWinds cyberattack that came to light in December was a stark reminder of the vulnerability of America’s cyber networks. Protecting those networks is a national security issue that involves cooperation by countless private sector businesses and dozens of government agencies. The Biden administration faces an urgent need to unify and coordinate the sprawling federal cybersecurity strategy and posture.

Key Cybersecurity Agencies

Cyber Governance

national cybersecurity director

GAO has identified 23 different federal agencies that have roles and responsibilities in cybersecurity. They all have different areas of expertise or focus – including developing policies, monitoring infrastructure, investigating cyberattacks, and doing research. To help coordinate their efforts, the FY 2021 National Defense Authorization Act created the position of national cybersecurity director. This Senate-confirmed official will function as the president’s principal cybersecurity adviser, and coordinate federal agencies to produce one unified response from the federal government to the cybersecurity challenges facing the nation. On April 12, the Biden administration announced its intention to nominate Chris Inglis to fill the position. Mr. Inglis worked at the National Security Agency for 28 years, retiring as deputy director in 2014.

The director will face the challenge of establishing relationships and credibility with numerous other entities, starting inside the White House where officials at the Office of Management and Budget and the National Security Council also have cybersecurity roles, and then extending across the federal government. U.S. Comptroller General Gene Dodaro has said it will be “especially critical” for the Biden administration to fill the position and ensure the director has the “authority and capabilities” to be successful, which could include “identifying opportunities for clarifying and streamlining the bureaucracy.”

The position is especially important given the need for a coordinated government response to the SolarWinds attack. The deputy national security adviser for cyber and emerging technology at the NSC is currently coordinating the federal government’s response to the SolarWinds operation.

cisa

The Cybersecurity and Infrastructure Security Agency is the Department of Homeland Security’s primary component involved with cybersecurity. CISA assesses cyber and other risks to the nation’s critical infrastructure sectors, such as the power grid, water systems, and hospitals. The agency works to increase the security of government and civilian networks by deploying threat hunting teams, providing risk assessments, and facilitating the sharing of threat information between the government and the private sector. On April 12, the Biden administration announced its intention to nominate Jen Easterly to lead the agency. Ms. Easterly is a veteran NSA official.

In response to the SolarWinds cyberattack, CISA has issued alerts to keep the industry up to date and an emergency directive requiring agencies to take steps to mitigate the potential impact; it also has provided detailed assessments for other agencies to help determine if they are at risk. Some observers have criticized CISA’s multi-billion dollar EINSTEIN security system, which is supposed to monitor traffic and protect federal networks from cyberattacks, for not detecting the intrusion. The acting director of CISA has argued that EINSTEIN was designed to detect known variants of malware, not the type of supply chain attack utilized in the SolarWinds operation. 

OMB

The Office of Management and Budget is responsible for approving and enforcing security requirements placed on federal agencies by the Federal Information Security Modernization Act. FISMA is the primary cybersecurity law governing federal agencies. The law requires federal agencies to have specific cybersecurity plans in place, periodically review their controls, and report major data breaches to Congress as they occur and as part of annual reports. FISMA also requires agency inspectors general or an independent external auditor to conduct annual evaluations to determine the effectiveness of agency information security programs. These reports are important oversight products for Congress and often document significant cybersecurity challenges and issues at agencies. DHS administers FISMA, and the National Institute of Standards and Technology provides standards against which FISMA requirements are developed.

OMB also has a variety of officials with a role in cybersecurity, including the federal chief information officer, who heads the Office of E-Government and Information Technology. The federal CIO provides guidance to agency CIOs to help them secure their networks. For example, after the 2015 data breaches at the Office of Personnel Management, the federal CIO initiated a “cybersecurity sprint” and ordered all federal agencies to complete basic security measures within 30 days. On March 9, President Biden appointed Clare Martorana to serve as federal CIO. Ms. Martorana most recently served as CIO for OPM.

AGENCY CIOs

Under FISMA, ultimate responsibility for agency cybersecurity lies with the head of each agency. CIOs work to share best practices and information through the CIO Council. They will be instrumental in the government’s response to the SolarWinds attack, scouring their networks to determine what information is at risk and to ensure the hacker has been completely expelled from the system.

DOD/Intelligence community

The Department of Defense and the intelligence community focus on America’s foreign adversaries in cyberspace and not on response to domestic incidents involving private sector networks. Some of the IC components involved with cyber issues include the Office of the Director of National Intelligence and the Central Intelligence Agency’s Directorate of Digital Innovation. At DOD the Cyber Command and the National Security Agency are key players. The heads of all these agencies are Senate-confirmed positions.

Cyber Command is a DOD combatant command governed by Title 10 authorities. It is focused on cyber operations and defending DOD networks and the nation against cyberattacks. The command includes 6,200 people on 133 Cyber Mission Force teams that can deploy overseas and work with our allies to search for cyber threats.

The National Security Agency, also a part of DOD, operates under Title 50 authorities and leads the government’s efforts in signals intelligence and “information assurance” of national security IT systems. The NSA also developed the National Cybersecurity Assistance Program, which identifies companies that are best suited to help with private and government cybersecurity needs. In 2019, NSA created the Cybersecurity Directorate to protect national security systems and critical infrastructure, with an initial focus on the defense industrial base and the improvement of the security of the military’s weapons.

Justice Department

The Department of Justice plays a critical cybersecurity role by working to hold cybercriminals accountable for their actions. The FBI works with victims of cyberattacks and investigates attacks, and DOJ brings charges against hackers associated with nation-states.

Last October, the department secured an indictment against six Russian intelligence officers. The indictment alleges the hackers were responsible for multiple serious cyberattacks on targets including the 2017 French elections and the 2018 Winter Olympics. Earlier this year, a federal indictment was unsealed that charges three North Korean hackers with a series of crimes, including a 2014 attack on Sony Pictures, cyber-enabled ATM thefts around the globe, and stealing millions of dollars of cryptocurrency.

DOJ’s work in this area is headed by the assistant attorney general for the Criminal Division, a Senate-confirmed position. On April 12, the Biden administration announced its intent to nominate Kenneth Polite to fill the position. Mr. Polite previously served as the U.S. attorney for the Eastern District of Louisiana.

commerce department

The Department of Commerce focuses on ensuring U.S. global competitiveness in cybersecurity. The National Institute of Standards and Technology develops cybersecurity and privacy standards, best practices, and technology to protect federal government and private sector networks. NIST also houses a federally funded research and development center focused on cybersecurity. According to a recent review by GAO, no agency has implemented all of the supply chain risk management practices identified by NIST.