America deserves a Cabinet-level Department of Cybersecurity
As we were reminded last week, the fight about the politicization of the Department of Homeland Security (DHS) and the tight squeeze the Cybersecurity and Infrastructure Security Agency (CISA) is in is alive and well. While many, including the Cyberspace Solarium Commission, have argued to keep the CISA where it is and strengthen it, the right answer is to finally take the plunge — to separate cybersecurity from DHS and make CISA an independent agency.
Right now, Jen Easterly’s confirmation to become director of CISA is being held up because of concerns from Sen. Rick Scott (R-Fla.) about the vice president visiting the southern border. What does the director of CISA have to do with that? Absolutely nothing. But the CISA is within the DHS, and so Scott has an in to extract concessions while holding cybersecurity hostage. Even former CISA Director Chris Krebs sounds like he would support the separation of the agency.
As Kiersten Todt, former executive director of the Commission on Enhancing National Cybersecurity, said: “In creating DHS, we threw in the kitchen sink, everything we needed to prevent another 9/11.” That left an agency that handles the protection of the president, the Super Bowl, immigration, airport security and cybersecurity. Is that the best and most efficient structure? It clearly wasn’t sufficient to prevent the Russian intrusion into federal agencies through SolarWinds or protect the Colonial pipeline.
Moreover, CISA’s limited resources and shoe-string budget do not inspire confidence or attract top talent. Besides the newest dustup on confirmations, the politicization of the department has remained a thorn in CISA’s side while arguing for larger budgets and coordinating information sharing with the private sector. In DEFCON discussions with the Cyberspace Solarium Commission, the weight of this baggage and politicization was evident in engagement with large tech companies. In an off-the-record conversation, some tech company employees stated their opposition to working with CISA because they viewed many DHS policies as questionable or immoral.
Detractors argue that separating CISA out would take time away (as long as five years) from the critical national security concerns and hacks that it handles on a day-to-day basis. But there will never be a “good time” to pause to properly restructure. Our enemies will never stop attacking us or testing our systems. If CISA cannot restructure now because it has critical work to do, consider how much more pressing cybersecurity concerns will be 10 years from now.
The lost productivity of a DHS-led CISA that constantly has to struggle for primacy while the leaders spend their days considering how to mold their policy aims into an overarching DHS narrative could have devastating consequences. As Marc Canellas recently argued: “The rising national profile of CISA…provides political capital that Biden and Congress should seize to establish CISA as an independent regulatory agency and thereby help it fully achieve its mission of protecting the nation’s critical infrastructure.”
Some argue that a standalone CISA would be weak against larger, more mature government bureaucracies — “heavyweights” such as the Federal Bureau of Investigation (FBI) or Department of Defense (DoD). But consider how strong its position has been to date, when the head of the agency doesn’t have an audience with the president and has the resources of 1/250 of the Department of Defense. As a separate and distinct Cabinet agency, a “Department of Cybersecurity” would have a direct line to the president and would gain significantly more authority as the federal network defender.
And while concerns raised about separating physical security and cybersecurity are important considerations, other agencies with overlapping issues have proven that this obstacle can be overcome. No one is arguing this same point about interagency coordination with the DoD and the FBI because they are strong, functional organizations that have working relationships with other agencies. CISA can replicate this approach in its own relationships with DHS, creating a matrixed organization that centralizes the planning aspects and pushes out the operationalization to federal agencies. It will take time, but the relationships will be built, and they will reduce redundancy.
The recent block of Easterly’s confirmation and the Colonial Pipeline and SolarWinds hacks prove that we need a strong, independent, depoliticized agency to advocate for this critical segment of national security, not an under-resourced, young bureaucratic organization buried in DHS. CISA needs freedom to grow and develop into the internationally recognized center of excellence it should be. America deserves nothing less.
Tatyana Bolton is the director of the Cybersecurity and Emerging Threats team at the R Street Institute. Before joining R Street, Tatyana was the policy director for the U.S. Cyberspace Solarium Commission.
Bryson Bort is a senior fellow with the R Street Cyber Security and Emerging Threats team. He is also the founder of SCYTHE, a start-up building a next-generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy. He also co-founded the ICS Village, a nonprofit advancing awareness of industrial control system security.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.