2014 was a banner year for cybersecurity. In March, a group of hackers installed a malicious piece of software in Target’s security and payments system and obtained` 40 million credit card numbers and 70 million private addresses. In September, a security flaw called Shellshock was discovered in Bash, a software shell built into 70% of the world’s computers that allows users and running programs to interact with a computer’s operating system. In November, a series of mysterious events at Sony Pictures began to unfold that the FBI later determined was a security breach by the North Korean government. On Christmas day, a hacker group called Lizard Squad took down PlayStation Network and Xbox Live simply to increase its own publicity.
These events have installed cybersecurity into the American vernacular and have shed light on the necessity of swift and calculated responses by governments and private companies alike.
On February 25, the White House announced the creation of the Cyber Threat Intelligence Integration Center (CTIIC), a new agency designed to improve US public and private sector cybersecurity. According to a White House fact sheet, the agency’s purpose is as follows:
The CTIIC will provide integrated all-source intelligence analysis related to foreign cyber threats and cyber incidents affecting US national interests; support the US government centers responsible for cybersecurity and network defense; and facilitate and support efforts by the government to counter foreign cyber threats.
The CTIIC is thus intermediary by design. It will not be a large agency; initial targets are 50 employees and a $35 million budget taken from the 2016 defense budget. The CIA’s 2013 budget, by comparison, was an estimated $15 billion (the actual figure is classified). The CTIIC’s purpose is coordinating information across existing intelligence agencies such as the FBI, CIA and NSA. It will not deal directly with cyber attacks, but will rather focus on facilitating communication to ensure a fast response. The FBI, CIA and NSA each has its own dedicated team of cyber specialists whose job it will be to respond to attacks.
Since details are scarce at the moment due to the recency of the CTIIC’s creation announcement, I will instead examine the key indicators of success or failure for this new agency.
1. Is more bureaucracy the answer?
It is difficult to ascertain the actual operational purpose of the CTIIC. The high-level purpose is clear, but what will the 50 employees do on a day-to-day basis? The CIA is currently responsible for being the ears to the ground for cyber and terrorist attacks, so it seems unlikely that CTIIC will help in that capacity. Furthermore, if the purpose of the agency is simply to facilitate better communication between existing agencies, then why does an entirely new agency need to be created? Could a more efficient solution be to assign explicit communication roles to members of those other agencies and do away with the middleman?
One possibility is that the agency will focus on the strict analysis of cyber incidents, leaving the FBI to focus more exclusively on investigation. I assume that the coming months will see the release of more specific details. Right now, it is hard to tell why this solution is the best one.
2. How closely will the agency work with the private sector?
The most specific information that we have right now is that roughly half of the 50 target staff members will be permanent employees of the CTIIC while half will be detailees from other intelligence agencies that will be the CTIIC’s clients. The troubling nature of this information is that there are no plans to include the private sector in any capacity. In fact, during the announcement of the CTIIC, White House cybersecurity coordinator Michael Daniel stated that private sector cyber specialists from key industries such as finance and energy will not being included.
The success of the agency will depend on heavy cooperation with the private sector, so this balance of staff will have to change for the CTIIC to be effective. Private sector companies are also operating America’s critical systems along with the government. Major cyber attacks to date have not been terrorist in nature; future attacks could include security breaches in American energy, water, or financial systems.
Relations between the White House and the private sector have recently been strained over consumer privacy issues. Stanford University hosted the White House Summit on Cybersecurity and Consumer Protection in February. The White House invited several major tech CEOs, but only Apple CEO Tim Cook attended. Facebook Chairman and CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google CEO Larry Page each declined to attend the summit. Although the companies did not explain their executives’ decisions, one likely factor is the recent souring of relations with the White House. The companies have clashed with the Obama administration over issues such as government information sharing and the privacy rights of users.
The CTIIC also has the potential to be a boon to private sector companies themselves. The agency should focus on downgrading select pieces of intelligence to the lowest levels of classification to make it widely available to private sector companies. This way, if the new agency is successful in analyzing threats and establishing cyber standards, everyone can benefit.
3. Will the creation of CTIIC be the extent of the White House’s response to recurring cyber threats?
After several of the most devastating cyber attacks of the last decade, the White House needs to ensure that existing agencies become more effective. I assume that changes are happening behind the scenes at the FBI, CIA and NSA; but this information is mostly kept confidential. If the Obama administration is betting on an agency focused on communication as opposed to response to bolster American cybersecurity, then cyber incidents will continue to wreak havoc on US public and private institutions in the years to come.
The views expressed by the author do not necessarily reflect those of the Glimpse from the Globe staff, editors, or governors.