Lawmakers are concerned that bureaucratic turf wars are complicating the federal response to cyber threats.
The issue took center stage this week, as senators on the Homeland Security and Governmental Affairs Committee fretted that they had been unable to pass key cyber legislation requested by the Department of Homeland Security (DHS) because of a disagreement with the Senate Intelligence Committee.
“The reality of the situation is there is conflict here,” said Chairman Ron JohnsonRonald (Ron) Harold JohnsonGOP senator: Buying Treasury bonds 'foolish' amid standoff over debt ceiling, taxes Internal poll shows Barnes with 29-point lead in Wisconsin Democratic Senate primary Wisconsin Democratic Senate candidate facing 4 felony charges MORE (R-Wis.) at a hearing Wednesday. “This threat is too significant to allow turf wars to get in the way of as efficient an operation as possible in terms of dealing with a very complex and serious problem.”
The dust-up illuminates the broader issue of turf wars over cybersecurity in the federal government.
The executive branch has no one single agency assigned to handle cyber. Instead, authorities are spread out over various agencies, including the Justice Department, which investigates and prosecutes cyber crime, and the Pentagon and broader intelligence community, both of which handle what is considered “offensive” cyber activity.
While Homeland Security is broadly recognized as the main agency defending federal networks and critical national assets from cyberattacks, individual agencies also play a major role in guarding their own networks and personnel from malicious cyber actors.
The set-up means that virtually every congressional committee has a say in the federal government’s cybersecurity efforts.
“On defense, the responsibilities are so spread across so many parts of the federal government and across so many congressional jurisdictions,” said Michael Sulmeyer, a former cyber policy official at the Pentagon. “That is very hard to get coherent policy government wide.”
Homeland Security — a relatively young agency — has dramatically grown its cyber capabilities in recent years. Department officials and some lawmakers are pushing for legislation that would rename and reorganize Homeland Security’s main cyber wing, the National Protection and Programs Directorate (NPPD), transforming it from a headquarters unit to an operational agency called the Cybersecurity and Infrastructure Security Agency.
Proponents of the legislation, which has not been viewed as particularly controversial, say that it will help the department recruit talented personnel and streamline its cyber and infrastructure protection efforts.
But at the confirmation hearing for Christopher Krebs, President TrumpDonald TrumpFormer Sen. Heller to run for Nevada governor Overnight Defense & National Security — Milley becomes lightning rod Joint Chiefs Chairman Milley becomes lightning rod on right MORE’s nominee to lead NPPD, on Wednesday, Johnson revealed that lawmakers failed to insert the provision into a massive funding bill approved last month because the Intelligence Committee objected to it.
“There’s a reason we didn’t get the name change in the omnibus,” Johnson said. “There was objection to that.”
Aides declined to discuss the specifics of the holdup over the legislation. James Norton, a former Homeland Security official under the George W. Bush administration, said it would not be unusual for the Intelligence Committee to object to the bill.
“They may have wanted time to review the legislation and potentially call a hearing on it,” Norton said. “DHS has several components that are part of the intelligence community … and if the new cyber organization has a large intelligence responsibility from a sharing and collection standpoint, then it may be a new player in the intelligence community that would need oversight.”
The version of the legislation passed by the House gives the leader of the new Homeland Security agency the authority to access, receive and analyze law enforcement and intelligence information. It also says that personnel from various intelligence entities — including the National Security Agency, CIA and FBI — may be “detailed” to the new agency to help carry out its responsibilities.
The bill’s path forward is unclear, though lawmakers appear willing to work out the issues. Johnson said Wednesday that he has proposed arranging a meeting between members of Congress and Homeland Security officials, an idea he relayed to Intelligence Committee Chairman Richard BurrRichard Mauze BurrNC Republican primary key test of Trump's sway The 19 GOP senators who voted for the T infrastructure bill Senate votes to end debate on T infrastructure bill MORE (R-N.C.) as recently as this week.
“As Chairman Johnson knows, I’m always happy to discuss cyber issues, authorities, and jurisdiction,” Burr told The Hill in a statement Thursday.
Meanwhile, proponents of the bill continue to push for its passage. “I am hopeful that the Senate will get this bill to the president’s desk very soon,” House Homeland Security Chairman Michael McCaulMichael Thomas McCaulMore Republicans call on Biden to designate Taliban as terrorist group How lawmakers aided the Afghan evacuation Republican taps CNN reporter to investigate Biden's Afghanistan withdrawal MORE (R-Texas), who successfully moved the bill through the House, said Thursday.
Some lawmakers believe that “turf wars” over cyber in the broader federal government have precluded the development of a coordinated approach — thereby endangering the U.S. in cyberspace.
“We have to have a whole-of-government approach, yet the whole of government is just all in these discrete areas, doesn’t talk to each other like they should, and is not efficient,” Sen. Gary PetersGary PetersFreedomWorks misfires on postal reform Senators call on Taiwan for aid in automotive chip shortage Lawmakers raise concerns over federal division of cybersecurity responsibilities MORE (D-Mich.) lamented Wednesday during Krebs’s confirmation hearing.
“We’re not really focused on the overall mission, which is to protect the American people."
Sen. Heidi HeitkampMary (Heidi) Kathryn HeitkampProgressives prepare to launch counterattack in tax fight Business groups aim to divide Democrats on .5T spending bill On The Money: Powell signals Fed will soon cut stimulus MORE (D-N.D.) told Krebs that she expects him to “throw some sharp elbows” to uphold Homeland Security’s role. “There’s been a lot of turf on this, and there can’t be,” Heitkamp said.
But former officials acknowledge that Homeland Security, established following the September 2001 terror attacks, has been historically challenged in asserting its power with respect to other, older agencies.
“As it relates to intelligence-sharing and mission, DHS has long struggled with turf wars, first as the new kid on the block, then constant changes at the leadership levels, vacancies and lack of a clear chain of command at the middle management level,” said Norton.
“The cyber component is no different as DHS has had a history of a limited budget, lack of authority and mandate despite its stated mission to secure [federal networks].”
These factors, Norton said, spawn “natural power grabs” by other agencies looking to fill the void.
“The government is clearly working through cyber by putting the wheels on the bus as it’s moving.” Norton said.