Last week was a big one for the White House's cybersecurity efforts. On Tuesday, one of President Barack Obama's key advisors announced the creation of a new cybersecurity office, followed Friday by Obama giving a speech and signing an executive order that strengthens the authority of a federal office to collect and aggregate cyber threat information from across the government and the private sector.
The problem is that the newly created office announced Tuesday and the office empowered Friday through Obama's executive order are completely different entities. To make matters even more vexing, there's a third organization — first revealed in December — with seemingly the same exact job.
For those keeping score at home, the three new US cyber groups are the National Cybersecurity and Communications Integration Center (empowered Friday), the Cyber Threat Intelligence Integration Center (announced Tuesday), and the Cyber Response Group (revealed in December). Depending on who you ask and how, they all do the same exact thing or completely different things — or both.
Normally, you might write this explanation off as some sort of cheap shot about bureaucratic inefficiency or the unrestrained growth of the security state or whatever other form of sloganeering masquerading as explanation you prefer.
But cheap BS answers won't hack it here. No, the White House doesn't roll out major cybersecurity announcements back to back like this without at least having some weird internal logic — no matter how twisted — that ties it all together. For someone, somewhere, deep in the bowels of government, this all makes perfect sense. The question is: Does it make sense to anyone else?
Trying to slog through the various regulations, orders, and provisions involved in this bureaucratic clustercuss feels like Douglas Adams channeling Kafka for a sequel to Catch-22 entitled Government Cybersecurity for Dummies. This is my attempt to figure out what these three entirely different and/or totally identical organizations are doing.
* * *
The executive order issued Friday by Obama was aimed at bolstering the Department of Homeland Security's (DHS) big cybersecurity information aggregator: the National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC was established in 2002 to collect information about everything related to cybersecurity threats. The idea back then was to have one place in government where people could go and ask what the hell is happening regarding cyber issues.
Friday's executive order says the NCCIC should definitely do more of this aggregating, specifically by supporting the creation of Information Sharing and Analysis Organizations (ISAOs). The ISAOs can be private or public or whatever, involve whatever members seem appropriate, and be organized in whatever fashion seems best. That's quite a few whatevers, but the key takeaway is that the NCCIC is supposed to make sure there are lots of ISAOs that include everyone.
Why? The theory is that NCCIC will talk to all these ISAOs and aggregate their information, giving NCCIC (and, by extension, the Department of Homeland Security) the ability to provide a comprehensive overview of what's going on with cybersecurity.
The provisions in the executive order are basically unrelated to the speech four days earlier by Lisa Monaco, the president's homeland security and counterterrorism advisor, which caused excitement about the creation of a new cybersecurity "agency."
Monaco announced the creation of a Cyber Threat Intelligence Integration Center (CTIIC). The CTIIC will live under the Office of the Director of National Intelligence (ODNI). Together, they will be tasked with collecting data on cyber threats from all available sources and compiling an intelligence report for the president.
Contrary to the hype about a new "agency," there will be no super-office staffed with thousands of Hollywood stunt nerds gleefully pounding away on a "16-core with a ten meg pipe." We're talking about a staff of 50 with a $35 million budget and no operational responsibilities.
Imagine one person in a class collecting everyone's homework, taking a quick peek at Wikipedia, then compiling and combining all the answers to produce a Collective Homework Solution from the entire class to present to the teacher. The CTIIC's role is something like that, only it's the president instead of a teacher, and cybersecurity threats instead of homework.
'Culturally, law enforcement has a hard time with cyber because dealing with cyber means thinking outside the box. But cops are the box. Cyber just confuses them.'
And finally, the third entity: Just two months ago, Monaco first discussed the July 2014 creation of the Cyber Response Group (CRG). The CRG lives under the Homeland Security Council, which is not to be confused with the Department of Homeland Security. Instead, the CRG is the homeland security version of the National Security Council — a group of relevant cabinet members and agency heads that meet to coordinate efforts and interface with the White House.
According to Bloomberg Business, Monaco said the purpose of the CRG is to "literally get around the table in the Situation Room, pool our knowledge, understand what that threat looks like," and then figure out how to share information with the private sector to protect companies.
"[The CTIIC will not] perform functions already assigned to other Centers," she said. "It is intended to enable them to do their jobs more effectively, and as a result, make the federal government more effective as a whole in responding to cyber threats."
* * *
There you have it: three government entities that all apparently have the same job. But according to Monaco, the person who has set up at least two of those groups, they all have different jobs.
It's also worth noting here that the DOD, CIA, FBI, NSA, and other three-letter agencies each have their own comprehensive government-wide cybersecurity efforts. Plus there's Michael Daniel, Obama's main cybersecurity guy, who, according to the White House, "leads the interagency development of national cybersecurity strategy and policy, and he oversees agencies' implementation of those policies."
To find out what the hell is actually going on, I contacted the DHS and asked for clarification. Sy Lee, a spokesman for the agency, told me in an email that I should talk to the White House and the ODNI for any comment on the CTIIC, adding that "NCCIC's role has not changed."
Not to be deterred, I got in touch with a former senior government cybersecurity guy who has looked in the face of the bureaucratic-security complex recently enough to still have vivid flashbacks. I asked him, in so many words, WTF?
He agreed to speak candidly so long as I didn't use his name.
"It's because DHS is an organization run entirely by cops — all kinds of different cops," he explained. "Culturally, law enforcement has a hard time with cyber because dealing with cyber means thinking outside the box. But cops are the box. Cyber just confuses them."
A cyberattack is an exercise in finding and exploiting the tiny little chinks in the armor that are an unavoidable byproduct of large bureaucracies. Constantly thinking contrary to the rules — spotting those weak spots and anticipating these attacks — is just not a mindset that comes naturally to law enforcement.
The ex-government cybersecurity guy also said that DHS, the parent organization of the NCCIC, is a Frankenstein's monster of a federal agency, stitched together from groups ranging from the Secret Service to the Coast Guard. These groups have had a very hard time gelling into a coherent organizational culture, suffer from churn, and have lousy morale. He told me to check out the Partnership for Public Service's survey on the best places to work in the federal government.
The survey shows, among other things, that federal workplace satisfaction is at an all-time low. The survey scores agencies and departments on a scale of 1 to 100, covering a variety of measures; 100 is a great place to work, 1 is a very, very bad one. Private sector jobs rated an average of 72 out of 100. Government jobs scored an average of 56.9. DHS came in dead last among government agencies with a score of 44.
"It's not that they don't have good analysts," my source said. "I have nothing but great things to say about USCERT [United States Computer Emergency Readiness Team]. It's just that DHS can't do this institutionally."
In other words, DHS can't translate the work of a few good analysts into an effective agency response. That information just doesn't percolate up the chain of command very effectively.
He gave the example of DHS's Continuous Diagnostics and Mitigation (CDM) Program, which is essentially supposed to buy stuff for network security, distribute it to various agencies, and keep them up to speed. But the process is deeply broken.
The CDM solicits requests with little to no warning, with little time to respond, and sends back a baffling mixture of seemingly random stuff. "It's like a security piñata," my source said. "You hit a piñata and candy falls out. You hit the security piñata and completely random cybersecurity crap comes out."
In the end, he explained, the creation of these new groups is a huge slap in the face to DHS. Basically, DHS couldn't manage to collect information about cyberattacks quickly or effectively, the White House got fed up, and rejiggered everything.
Although my source didn't dwell on it, I have a sneaking suspicion that part of the problem is that appointing an agency to be the central spokesman for the rest of government on a topic that's sexy and getting a lot of love and money from Congress raised the hackles of other powerful stakeholders. If DHS were to be first among equals on cybersecurity, then what are the FBI, CIA, and DOD? Chopped liver?
'It's like a security piñata. You hit a piñata and candy falls out. You hit the security piñata and completely random cybersecurity crap comes out.'
And that brings us back to the Cyber Response Group. Again, the CRG is the domain of the Homeland Security Council, a coordinating body that brings together different cabinet members and agency heads. If the DHS couldn't get the job done, why not use an existing coordinating body to, you know, coordinate stuff? Hence, the CRG was born.
There are problems with this approach. Interagency processes can be a slow and tedious pain in the butt. These tiny little sub-groups under the Homeland Security Council and National Security Council sometimes have limitations. How big can they get? How much authority do they have? On whose behalf are they operating?
The CRG might be a great place to have the various agencies send their reports, but it's not the same thing as having a coherent picture of current cyber threats. According to the Washington Post, when Obama asked for the culprit of the Sony hack, his chief Homeland Security advisor convened the six relevant agencies (presumably through the CRG) and relayed the question. She got back six answers. All agreed that North Korea was responsible, but not all were certain. Basically, the CRG couldn't produce an integrated analysis.
That failure is likely what led to the creation of the CTIIC. Its job is more or less to take everyone else's finished intelligence products and plug them in as raw material for another analysis, so that when the president asks a simple question, he can get a simple answer without six agencies cluttering the page with footnotes and qualifiers.
* * *
The government seems to think it's critical to aggregate and compile information about cyber stuff. But the value of gathering the intelligence community's consensus opinion is debatable. Synthesizing every bureaucratic finding to produce the "best" answer can lead to groupthink and regurgitating conventional wisdom.
The DHS's NCCIC will probably still serve as the lead for communicating with the public. Neither of the two other groups have the tools or sufficient staff to work effectively with the private sector. Collecting information or pushing threat information or attack responses to the private sector will probably continue to run through DHS.
The CTIIC will likely benefit from living under the same roof as the National Counterterrorism Center (NCTC). Attacks that combine physical and cyber components are an emerging threat. Since the CTIIC may have issues figuring out where its authority over cyber stuff begins and physical stuff ends, the NCTC may prove an effective workaround.
Because the DHS is being largely cut out of the process of aggregating threat information from the FBI, CIA, and others, it may be that the agency's mission evolves into being focused on "cyber threats" where "threat" emphasizes the specific bit of malware or code or whatever being used. Conversely, the CTIIC will focus on "cyber threats" where "threat" is the actors, people, and organizations causing the fuss.
It's a bit like asking what's more dangerous, the gun or the man holding the gun. The NCCIC is going to keep its eye on the gun. The CTIIC is going to watch the man holding the gun. The CRG will host the peanut gallery of bystanders.
Follow Ryan Faith on Twitter: @Operation_Ryan