The White House wants to combat cyberattacks the same way it counters terrorism — by sharing data.
On Tuesday, the administration rolled out its plan to help intelligence agencies share cyber threat data and respond to the rising tide of cyber assaults.
“We need to develop the same muscle memory” in responding to cyber threats “as we have for terrorist incidents,” said Lisa Monaco, homeland security advisor to President Obama, speaking at a Wilson Center event.
The centerpiece of the strategy is a new agency, the Cyber Threat and Intelligence Integration Center (CTIIC), housed within the Office of the Director of National Intelligence (DNI). The center will integrate intelligence community cyber information and share it with civilian agencies such as the Department of Homeland Security (DHS) and FBI.
“Currently, no single government entity is responsible for producing coordinated cyber threat assessments,” Monaco said. “CTIIC is intended to fill these gaps.”
CTIIC is the administration’s attempt to imitate government changes made after the Sept. 11, 2001, terrorist attacks that allowed agencies to better collaborate on counterterrorism efforts.
In the wake of attack on the Twin Towers, many alleged the government could have thwarted the plot if officials had better shared intelligence data.
“There are structural, organizational and cultural shifts that were made in our government in the counterterrorism realm that also apply to cyber,” Monaco said.
A slew of high-profile cyberattacks from foreign countries, cyber criminals and digital terrorists are stark examples of the rapidly expanding cyber threat, Monaco said.
“The threat is becoming more diverse, more sophisticated and more dangerous,” Monaco said. “I worry that malicious attacks like the one on Sony Pictures will increasingly become the norm unless we adapt quickly,” she added, citing North Korean hackers who made violent threats against the movie studio for a comedy depicting the assassination of their leader, Kim Jong Un.
She also mentioned China and the Islamic State in Iraq and Syria (ISIS) as emerging threats. Chinese state-sponsored hackers are suspected in a data breach at health insurer Anthem Inc. that exposed up to 80 million customers’ information. Hackers claiming a connection with ISIS recently took over the U.S. Central Command’s Twitter and YouTube accounts.
That’s why the CTIIC will largely resemble the National Counterterrorism Center (NCTC), the government main hub for assessing intelligence on potential malicious plots. It’s a proven model, Monaco said.
The NCTC has made the government’s counterterrorism efforts “more efficient and more sustainable,” she said.
CTIIC will take information collected from numerous federal agencies, consolidate and analyze that data, then share it with lawmakers and civilian agencies.
The center will also ensure agencies are exchanging cyber data with one another.
Monaco was firm that CTIIC would not collect any new cyber data of its own.
“It will analyze and integrate information already collected under existing authorities,” she said. “It’s intended to enable them to do their jobs more effectively.”
The U.S. government has faced significant backlash over its surveillance programs since former contractor Edward Snowden revealed the existence of several secret National Security Agency (NSA) programs that collected data on Americans’ phone records and Internet activity.
Privacy advocates have worried that increased cyber information sharing will simply give the NSA more sensitive data on Americans.
Tuesday’s announcement didn’t quell those fears.
“The DNI lacks the same robust transparency mechanisms and privacy protections that exist in purely civilian entities like DHS,” said Robyn Greene, policy counsel with the Open Technology Institute.
The CTIIC represents a brief change in focus for the White House, which has spent the last month promoting the DHS as the center of its cyber information-sharing plans.
The administration issued a legislative proposal that would make the DHS cyber information hub — known as the National Cybersecurity and Communications Integration Center (NCCIC) — the center of the government’s public-private cyber data exchange program.
President Obama will also unveil an executive action on Friday that is expected to simplify how companies share cyber threat data with the NCCIC.
With the expected action at the end of the week, some were miffed by the announcement of a new agency.
“We’re building another layer of bureaucracy,” said Amie Stepanovich, senior policy counsel at digital rights advocate Access Now. “You don’t necessarily get your house in order by building new houses.”
Some in the security community, meantime, wondered how the new agency would be staffed. The government frequently cites its shortage of cyber experts as a main challenge in combating cyberattacks.
“Are they going to pay market salaries, not government salaries for this expertise?” wondered Jeff Williams, chief technology officer at Contrast Security. “They are going to need an army of experts and they’re not going to be able to find them.”
Lawmakers advocating for cyber bills reacted differently. CTIIC is a necessary move to improve government response to the rapidly expanding cyber threat, they argued.
“Anything that can be done to improve coordination within the federal government will help to better protect our nation from cyber breaches,” said House Homeland Security Committee Chairman Michael McCaul (R-Texas).
The intelligence community and civilian agencies haven’t always communicated well on cyber issues, McCaul said, making the CTIIC “a good first step.”
Sen. Angus KingAngus KingRep. Tim Ryan becomes latest COVID-19 breakthrough case in Congress Senate backers of new voting rights bill push for swift passage Stacey Abrams backs Senate Democrats' voting rights compromise MORE (I-Maine) called the new agency “long overdue,” but urged, “it’s time Congress acts.”
Monaco echoed King’s sentiment in her remarks Tuesday.
“Everybody shares responsibility here, including the Congress,” she said.
Capitol Hill has been debating for a few years various ways to enhance the public-private exchange of cyber threat data.
Some version of the White House’s offering to put the DHS at the middle of this exchange is expected to get introduced this year in the Senate Homeland Security and Governmental Affairs Committee.
But while the idea of a public-private exchange maintains bipartisan support, privacy concerns and competing visions of the how to achieve this goal give the measure no clear path to passage.
An idle Congress is simply putting the country at greater risk, Monaco emphasized.
“Cybersecurity is and will remain a defining challenge of the 21st century,” she said. “There is simply no putting this genie back in the bottle.”