Both Democratic and Republican-controlled Congresses have spent years pushing federal departments to draw clearer lines around their respective cyber lanes, outlining their distinct roles and responsibilities in the executive branch’s cybersecurity ecosystem. Now, lawmakers are increasingly looking to push those departments to turn those same exercises inward.
On Friday, the House Appropriations Committee released its spending bill for the Department of Defense. In a companion report, members direct the secretary of defense to provide them with a report within 90 days of the bill’s passage detailing how Pentagon leadership delineates roles and responsibilities within cyberspace among its different component agencies. Reciting a long list of high-level DoD positions and offices, they write that it “remains unclear … which offices and positions at the Department of Defense are responsible for cyber, cybersecurity, and cyberspace policy and activities.”
“For example, at quick glance the Committee finds a Deputy Assistant Secretary of Defense for Cyber Policy and a Deputy Principal Cyber Advisor for Cyber Policy in the office of the Under Secretary of Defense for Policy. In the office of the Chief Information Officer, also part of USD, there exists a Principal Director for Cyber Security, a Deputy CIO for Cybersecurity, and a Principal Deputy CIO who is noted as the primary advisor to the Secretary of Defense for cybersecurity,” the committee wrote. “The Defense Information Systems Agency (DISA), which reports to the CIO, has a Cyber Security and Analytics organization. U.S. Cyber Command ‘directs, synchronizes, and coordinates cyberspace planning and operations,’ as noted in its mission statement and directly reports to the Secretary of Defense. The Department also has a Defense Cyber Crime Center which may also have responsibilities for cyber activities and policy.”
The committee wants the report to include an organizational chart listing each office with responsibility over cyber activities, descriptions and distinctions between each position and their reporting structure to Pentagon leadership.
It’s the second time in the past week that Congress has introduced language directing a federal department to clarify its internal cyber hierarchy. During a House Armed Services Committee markup of the National Defense Authorization Act, the committee adopted an amendment from Rep. Don Bacon, R-Neb., that would require the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) to sketch out roles and responsibilities in cyberspace for each component agency and clarify how those roles would interact in the face of an incident response engagement within the federal government.
Tatyana Bolton, policy director for cybersecurity and emerging technologies at R-Street who was also a senior advisor to the Cyberspace Solarium Commission, told SC Media that internal coherence on cybersecurity activities between component agencies under the same department is a real problem within the federal government and the military specifically.
“As it is with anything, this is about power and access. Most major agencies have not just one office, but multiple offices that handle cybersecurity, and not one, but multiple leaders vying to be the ‘principal advisor’ for cyber. Nowhere is that struggle more real than in the DoD, given their enormous breadth of responsibility,” said Bolton.
Mark Montgomery, who served as the executive director of the Solarium and helped write many DoD-specific recommendations that were passed into U.S. law, said the language reflects the frustration of Congress and others that defense leaders have not been able to sketch out a clear vision of how their cybersecurity hierarchy works despite multiple efforts in recent years to get answers. This failure comes even as the creation of the Office of the National Cyber Director — a key Solarium recommendation adopted by lawmakers — and the further empowerment of CISA has brought more coherence to the way civilian agencies approach cyber.
"We’ve given a lot of guidance to DoD over the last three [defense authorization] cycles and to some degree, they have to start explaining what their new organization looks like," said Montgomery, now senior director of the Center on Cyber and Technology Innovation at hawkish foreign policy non-profit Foundation for Defense of Democracies. "If you’re looking purely at the [Office of the Secretary of Defense] staff organizations, it has not gotten cleaner and more streamlined, and I would contrast this with the non-DoD side of the government, which I think has gotten significantly better organized and efficient."
While Chris Inglis, the first appointed director, has made it his mantra to further spell out cybersecurity roles inside and outside of government, Bolton said within DoD, it’s still largely a turf battle between two components that have the most influence over cyber operations: U.S. Cyber Command and the Office of the Secretary for Defense for Policy.
"Resolving this issue isn't as easy as requesting a congressional report, but I applaud Congress for trying," she said.
Montgomery believes it's "very clear" that the department needs something akin to an assistant secretary of defense for cyber who could act as the primary cybersecurity policy advisor to the secretary of defense. Without a dedicated cyber branch of the armed forces (Montgomery said the Solarium and lawmakers kicked the idea around but the Trump administration was more interested in standing up a new Space Force) DoD cyber operations must be more organized at the top because "you don't have that unity of command that a single force would have given you."
Cyber workforce and information-sharing partnerships
The legislation also pushes the department’s chief information office to look at opportunities to collaborate with CISA on a commercial cyber threat intelligence shared service. CISA has already set up a program to offer similar services to other civilian agencies, state fusion centers and information sharing and analysis centers, and lawmakers on the committee believe it’s an idea the Pentagon should adopt for its own cybersecurity ecosystem. It also directs the secretary of defense to provide “supplementary support” to CISA where needed to respond to hacks from countries like Russia and China.
Earlier this year, Cyber Command announced a partnership with dozens of universities and colleges dedicated to building up the nation’s cybersecurity workforce and familiarizing students with military cyber programs. The partnership, part of the agency’s Academic Engagement Network, will give students at the university access to guest lecturers from U.S. CyberCom officials, non-public webinars about “pressing technical problems and non-technical problems” in cyberspace and other communications about changes in the cyber domain from the military agency. Similar efforts across the department to engage with and prepare college students for a post-graduation cybersecurity career could help cut down on bureaucratic hurdles and delays that prevent DoD and other departments from hiring as quickly as their private sector competitors.
“The Committee believes that the Department of Defense should collaborate with colleges and universities to recruit cyber-focused students during their junior or senior years, with the intent that upon graduation the student will have a completed security clearance,” the committee wrote.