At a glance.
- Report says NSA and Cybercom partnership is a net positive.
- Is CISA lacking focus?
- DHS highlights the need for public-private collaboration.
- GAO report: military struggles to retain cyber talent.
Report says NSA and Cybercom partnership is a net positive.
As the Washington Post explains, for years the National Security Agency (NSA) and US Cyber Command (Cybercom) have operated in a symbiotic relationship, sharing one leader – four-star General Paul Nakasone – as well as resources. Though some experts have questioned this dual-hat arrangement, fearing that Cybercom is a drain on NSA resources, a recent report submitted to US Defense Secretary Lloyd Austin and Director of National Intelligence Avril Haines points strongly in favor of maintaining the partnership. The report, drafted by a group of lawmakers led by former chairman of the Joint Chiefs of Staff Joseph F. Dunford Jr., said that keeping the current structure benefits both organizations and, in turn, national security. When Cybercom was first created, many expected that it would eventually become strong enough to stand on its own. As Cybercom has matured, it has shown it is capable of earning its keep, collaborating with NSA on programs and tool development, and Cybercom’s “hunt forward” missions have given NSA valuable insight into adversaries’ techniques and tactics. In creating the report, Dunford’s group interviewed a variety of practitioners at a range of levels and found that many who had previously opposed the partnership have since seen its value. Nicole de Haay, spokesperson for the Office of the Director of National Intelligence, says the review “identified substantial benefits of the dual-hat leadership structure of NSA and USCYBERCOM and no significant adverse impacts to intelligence activities, cyber effects operations or cyberdefense that would justify terminating the arrangement, even as additional areas of study were identified that could improve performance under the dual hat.”
Is CISA lacking focus?
In 2018 the Department of Homeland Security's National Protection and Programs Directorate was replaced with the Cybersecurity and Infrastructure Security Agency (CISA), tasked with bolstering the cybersecurity of the nation’s federal networks and critical infrastructure. FedScoop spoke with over thirty insiders to get a sense of how CISA is faring four years in. Most of these experts – which include fourteen current and former CISA employees and eighteen other authorities on CISA’s operations – paint a picture of an agency that is lacking clearly defined strategies and direction. Representative Jim Langevin, who was an early supporter of CISA’s creation, noted that the agency is a year late in completing its “force structure assessment,” an organizational planning, staffing and budgeting document used to determine agency funding. “There are a lot of things that the agency can and should do better,” Langevin stated.
Others noted that CISA has struggled with hiring the appropriate cyber talent, perhaps due to a lack of clarity about its objectives. Former CISA researcher Beau Woods stated, “Front-line employees would benefit from having a consistent directional strategy,” adding that the leadership lacks “clear outcomes or a clear understanding of what good looks like.” A current senior US cyber official implied the agency is more concerned with its public image than its internal strategy, stating, “I don’t know what the CISA vision and agenda is internally from leadership. I think they do far more external communication than internal communication.” Others agreed that Director Jen Easterly could be overly focused on CISA’s visibility, regularly attending events like the RSA Conference and DEF CON, maintaining an active social media presence on Instagram, and even becoming the subject of a recent feature on “60 Minutes.” “The day-to-day effect of Jen’s branding push is that it hurts the work and mission execution,” a former CISA official said. “It’s not what the staff want…They want the focus to be about the work, not about one person.”
DHS highlights the need for public-private collaboration.
At a recent webinar hosted by Billington Cybersecurity, assistant secretary for Cyber, Infrastructure, Risk, and Resilience at the Department of Homeland Security (DHS) Iranga Kahangama underscored the importance of public-private partnerships in securing US critical infrastructure. “Whether we’re doing security directives or whether we’re doing the performance goals, we do them hand in hand with industry. And going forward, we’re committed to continuing that coordination with the private sector’s especially critical infrastructure providers,” Kahangama stated. As MeriTalk explains, DHS has established several initiatives to bolster this partnership, and in October the Cybersecurity and Infrastructure Security Agency released its long-anticipated cybersecurity performance goals giving critical infrastructure owners and operators guidelines for prioritizing key security measures. Kahangama also noted that the Cyber Incident Reporting Council gathered several Federal agencies to streamline “the way we do business. Therefore, regulatory agencies, independent agencies, departments, and agencies don’t have conflicting requirements.”
GAO report: military struggles to retain cyber talent.
In a Senate report that accompanied the 2022 National Defense Authorization Act, US Congress requested that the Government Accountability Office (GAO) conduct a review of “recruiting and retention challenges as well as ‘service obligations’—minimum terms of military service—for active-duty military cyber personnel.” The GAO released the report on Wednesday, and it notes that while the Defense Department (DOD) invests resources in cyber training for military personnel, not all of the armed forces have requirements for how long those personnel must maintain their positions in order to ensure that the DOD is receiving a return on its investment. As Nextgov explains, the report notes that the Navy and Air Force “have guidance requiring a three-year active-duty service obligation for military personnel who receive lengthy and expensive advanced cyber training,” but the Army “does not clearly define active duty service obligations” and the Marine Corps also lacks such guidance. The result, according to the report, is that the DOD is losing talent to the private sector. The report states, “DOD faces increasing competition from the private sector looking to recruit top cyber talent to protect systems and data from a barrage of foreign attacks.” The report's recommendations include requiring the Army and Marine Corps to “clearly define active-duty service obligations for advanced cyber training in guidance, and that the Army, Air Force and Marine Corps track cyber personnel data by work role.”