The following editorial appeared on Bloomberg View.
Give a warm welcome to the newest member of the U.S.’s national cybersecurity family, the mellifluously named Cyber Threat Intelligence Integration Center.
The new agency, unveiled Tuesday, will be modeled on the National Counterterrorism Center and designed to share information about cyberthreats. It’s expected to employ about 50 people with a budget of $35 million. That may not sound like much, as these things go. Until you remember just how vast and convoluted the federal cybersecurity bureaucracy already is.
For just a small sampling, consider that the Pentagon’s Cyber Command protects the military, the National Security Agency protects sensitive government networks, the Department of Homeland Security helps protect critical infrastructure, the FBI pursues cybercriminals and spies, departments and agencies across the government protect their own networks, and the White House watches over things with a cybersecurity coordinator and a Cyber Response Group.
All of the above, of course, want more money and bigger staffs. President Barack Obama’s new budget asks for $16 billion to shore up digital defenses, after years of already intensive investment. The Pentagon alone spends about $5 billion on cybersecurity a year, not counting a doubtless ample classified budget. If you’re a contractor, you don’t need a weatherman to know which way the wind’s blowing.
Now there is the CTIIC. It will be part of the Office of the Director of National Intelligence — which already has a cybersecurity team — and will seek to integrate the information pouring in from all points, to get a sense of the bigger picture.
Sounds great in theory. But two questions arise:
First, will yet another acronym really help organize this proliferating bureaucracy? The White House should clarify, for example, how this new fiefdom will differ from (or work with) the National Cybersecurity and Communications Integration Center, one of five divisions of the Homeland Security Department’s Office of Cybersecurity and Communications. The NCCIC describes itself as “a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement.” This sounds an awful lot like what the new center expects to be.
Second, what rules will govern this new apparatus? If it’s to straddle the line between intelligence and law enforcement — and between the government and the private sector — it will quickly have to confront the familiar tensions between civil liberties and security.
Finally, the parallel with fighting terrorism that the White House has invoked seems wrong. The NCTC has indeed done a good job of harmonizing the nation’s intelligence operations. But transparency with the public matters a lot more in cybersecurity than in counterterrorism, while borders and nationalities typically matter less. Sensitive civilian information is more likely to come into play.
Again and again, the government has responded to digital threats by asking for more money and more people. This hasn’t been a notably successful strategy. The White House needs to explain why one more agency will finally do the trick.