By Matthew Bobby —
A month ago, the Department of Defense (DoD) and the Department of Homeland Security (DHS) released a memorandum of agreement to increase cooperation in an effort to improve U.S. cybersecurity capabilities. Specifically, the memorandum’s three pronged purpose is to improve cybersecurity collaboration regarding strategic planning, capabilities development, and mission activities. The agreement pursues these goals by outlining specific joint and individual responsibilities for the two departments.
The most tangible aspect of the agreement is a personnel swap, which, according to the DoD news release, is intended to improve lines of communication, specifically, communicating priorities and support requests. Under the agreement, DHS will appoint a Director of Cybersecurity Coordination who will work within the National Security Agency (NSA) and serve as the DHS Cybersecurity Representative to the U.S. Cyber Command. Additionally, DHS has committed to assigning supplementary personnel to the NSA, including members of DHS’ Office of the General Counsel, Privacy Office, and Office for Civil Rights and Civil Liberties. In return, DoD will embed a group of analysts, a Cryptologic Services Group, at DHS’s National Cybersecurity and Communications Integration Center (NCCIC) with the goal of supporting DHS cybersecurity operations and synchronizing them with those of DoD. Importantly, the agreement does not “alter existing DoD and DHS authorities, command relationships, or privacy, civil liberties, and other oversight relationships.”
One of the anticipated advantages of the agreement is DHS’s increased access to DoD, especially NSA, resources and expertise, specifically the Cryptologic Services Group. Interestingly, the agreement comes shortly after an Inspector General’s report criticizing the vulnerability to cyber attack of DHS’s systems. Whether the sharing of resources will assist DHS in shoring up its systems is unclear, as the agreement appears to be aimed more at increasing synchronization regarding specific operations, as opposed to shoring up general vulnerabilities.
Another potential benefit of the agreement is that, by increasing coordination it may lead to a reduction in bureaucratic squabbling and turf wars over cybersecurity authority. Such issues have been recently brought to the fore with the resignation in March of the Director of DHS’s National Cyber Security Center, Rod Beckstrom. In his resignation letter, Beckstrom claimed that the NSA “dominates” cybersecurity and “effectively controls DHS cyber efforts.” Proponents argue that there are already clear lines of authority regarding the agencies’ relative purviews, but what is needed, and which the agreement provides, is communication and recognition of relative authority in order to prevent any “mission creep.” Under this view, in which such turf wars are accidental rather than deliberate, by not altering existing lines of authority and increasing collaboration and information sharing, the agreement will only sharpen the already clear distinctions between agency roles.
On the other hand, if lines of authority are not already clear, or if, as Beckstrom’s letter suggests, NSA overreaching is responsible for interagency disputes, then the agreement may serve to further exacerbate such difficulties. By commingling personnel without clarifying areas of authority or responsibility, the agreement may serve to further blur any already murky areas and give the NSA opportunities to attempt to assert further control over responsibilities nominally assigned to DHS. The leverage NSA will gain through its provision of personnel and expertise could exacerbate the latter issue. Whether the agreement will ultimately enhance cooperation and the boundaries of authority or lead to greater bureaucratic infighting, will depend on whichever set of underlying assumptions is correct and the approach each side takes to the new agreement.
In a similar vein, some privacy advocates have expressed trepidation over NSA involvement in the protection of domestic computer networks, an area within DHS’s purview, but which will now involve NSA resources and personnel. Several elements of the agreement seem explicitly aimed at these concerns. The most visible is the assignment of members of DHS’s Office for Civil Rights and Civil Liberties to NSA to assist the DHS Director of Cybersecurity Coordination. The agreement further stresses that the Director and his team will work outside the NSA chain of command. The emphasis on keeping preexisting areas of responsibility intact, leaving DHS in charge of domestic cybersecurity matters, is also aimed at concerns over NSA involvement in the domestic realm. However, such safeguards have not alleviated all concerns, such as those of Laura W. Murphy of the ACLU, who laments that the proposal was not “subject to robust public debate.”
Ultimately, however, while the above concerns should be taken seriously, they may be somewhat premature. The New York Times has reported that the Pentagon plans to release a National Defense Strategy for Cyber Operations by the end of the year and that the White House will follow-up in 2011 with interagency guidelines regarding cybersecurity. Hopefully, these agreements will alleviate any legitimate concerns regarding privacy and interagency cooperation.
In the meantime, though, the agreement, while subject to legitimate criticism, allows DHS access to the U.S.’s most advanced cybersecurity resources to protect domestic computer networks, the most likely cyber target. While a vigilant eye should be kept on maintaining privacy and preventing bureaucratic infighting, this potentially major advancement for U.S. cybersecurity should not be overlooked.
Image courtesy of ExecutiveGov