Cybersecurity's Duplication Dilemma

Americans hear every day, it seems, that we don’t have enough cybersecurity resources to tackle the numerous challenges that we, as a country, face. Yet budget trends at all levels show that, slowly but surely, the cybersecurity message is getting through to budgeteers.

For instance, the 2019 fiscal year budget request ramped up cybersecurity funding by more than 4 percent across the federal government, with large additional investment at the Departments of Defense, Homeland Security, and Energy, among other places. On top of that, 44 percent of states saw a budget increase in 2018.

Indeed, while increased budget size is only one metric, it shows continued investment in cybersecurity across various layers of government. From the city level up through the federal government, the maturity, so to speak, of cybersecurity programs has grown and come in a variety of flavors. It will likely only continue to grow with this infusion of funds.

But ballooning financial budgets will never be enough to fully meet the challenge. More than that, they could even be self-defeating, leading to a duplication of efforts as organizations not only fight for similar parts of the pie, but also employ similar metrics of success. This threatens to increase intergovernmental competition, which can fuel confusion over who does what during a crisis and minimize services available. It’s time to address the problem strategically—across agency and government barriers—to properly plan, position, and direct resources.

The federal government, on its own, has a history of duplicating efforts. Before it had more specifically defined agency responsibilities—a series of efforts that, in 2016, ultimately led to former President Barack Obama signing Presidential Policy Directive 41, United States Cyber Incident Coordination—agencies regularly tussled over who did what in times of crisis. While in some ways it’s easy to argue that more is better—that the more teams there are to provide services, the more clients can be served, especially when the speed of a response is an important factor—these situations can also stoke costly confusion for the incident response teams that are charged with managing the aftermath of a security or IT incident.

But it’s not just the federal government that’s been beleaguered by this duplication dilemma. Sector-specific agencies and state and local governments also risk barreling into the same challenges as they gain their own capabilities. This has only heightened the need to re-think which cybersecurity functions are better led by which government unit, and where to push resources to make that happen. Because only certain organizations actually have the legal mandate to take certain actions, some of this process is, or at least will be, governed by authorities. But some of it will need to be decided at the policy level.

Consider one of the main benefits of de-duplicating services: greater skill development. If Department of Homeland Security teams were to focus their attention on “traditional” systems—like Windows/Linux—and leave the sector-specific agencies to deal with systems specific to that sector, each agency could focus its resources on particular systems or services. This would decrease both disorder and disagreement over which team is called to an incident.

In a similar vein, there are certain services currently offered by the Department of Homeland Security—vulnerability testing, for instance, which involves cybersecurity specialists testing IT systems for weaknesses in a code or configuration—that could be done by state or other partners. New York is building this kind of capability, and National Guard units have been used in this capacity before. This is because the Department of Homeland Security will never have the personnel to reach all the critical infrastructure or local government institutions that need that service in the states. As a result, pushing it out to the state and to National Guard units is freeing up personnel allocations to focus on functions that would still be held at the national level: exercise development, threat hunting, and strategic supply-chain risk management.

But beyond the work mentioned above, how else to make this de-deduplicating dream a reality?

There are three actions that I’d argue are particularly worth exploring, each happening across various levels of government. First, from the top down, the National Security Council and the Office of Management and Budget, the two organizations that reach the executive branch, could take a more active role in coordinating responsibilities and in setting priorities for each part of government—local governments included.

Second, from the bottom up, states ought to take the initiative, together with the federal government, to coordinate to form the foundations of a regional government of sorts. By regionalizing services—that is, multiple states, cities, and counties pooling their security resources—operators can use economy of scale to decrease per capita cost. The private sector has been harnessing this concept—the managed security service provider—for years, and the value of centralized IT services is well known both in and out of government. Most government organizations, whether federal agencies or local governments, don’t and likely never will have the resources to run their own security operations centers effectively. By combining efforts from multiple local governments, they could field their own proprietary security office.

And third, the Department of Homeland Security (and Congress, which would have to authorize and appropriate funds for this) might consider forming a Cyber Civilian Corps. As my colleague Peter Singer and I have argued before, this sort of organization could take over some functions, such as education for small businesses and citizens, to help coordinate messages nationally.

This isn’t to suggest that the process would be easy or straightforward. For one, the federal government has the authority to direct states’ cybersecurity programs, despite the fact that developing capability is a state-by-state and city-by-city activity. It requires the devotion of resources and the hiring of personnel to staff those functions, and it needs a legal and policy function to authorize services. Even the National Guard, which has some national organization through the National Guard Bureau, operates as 54 different institutions and is governed by individual state and territory laws when put on State Active Duty.

Still, the work that the Departments of Homeland Security and Defense have already done on this front—for instance, ahead of the 2018 midterm elections—has shown that this cooperation can yield significant results. The development of a more sophisticated mindset toward cybersecurity, and an acknowledgement of the threat at every level of government, is no doubt positive, and it will make everyone safer in the long run. But no organization has unlimited resources. A strategic look at who is best situated to perform what duties is therefore essential.