Both Democratic and Republican-controlled Congresses have spent years pushing federal departments to draw clearer lines around their respective cyber lanes, outlining their distinct roles and responsibilities in the executive branch’s cybersecurity ecosystem. Now, lawmakers are increasingly looking to pressure those departments to turn those same exercises inward.
On Friday, the House Appropriations Committee released its project expenses for the Department of Defense. in a partner report, members direct the secretary of defense to provide them with a report within 90 days of the bill’s passage detailing how Pentagon leadership delineates roles and responsibilities within cyberspace among its various component agencies. Reciting a long list of high-level Department of Defense positions and offices, they write that “it is unclear…which offices and positions in the Department of Defense are responsible for cyber, cybersecurity, and cyberspace policies and activities.”
“For example, at a quick glance, the Committee finds a Deputy Assistant Secretary of Defense for Cyber Policy and a Senior Deputy Cyber Advisor for Cyber Policy in the office of the Assistant Secretary of Defense for Policy. In the office of the Chief Information Officer, which is also part of USD, there is a Senior Director of Cyber Security, a Deputy CIO of Cyber Security, and a Senior Deputy CIO who stands out as the chief adviser to the Secretary of Defense for cyber security.” . the committee wrote. “The Defense Information Systems Agency (DISA), which reports to the CIO, has a Cybersecurity and Analysis organization. US Cyber Command ‘directs, synchronizes, and coordinates cyberspace planning and operations,’ as stated in its mission statement, and reports directly to the Secretary of Defense. The Department also has a Defense Cyber Crimes Center that may also have responsibilities for cyber activities and policies.”
The committee wants the report to include an organization chart that lists each office with responsibility for cyber activities, descriptions and distinctions between each position, and its reporting structure to Pentagon leadership.
It is the second time in the past week that Congress has introduced language directing a federal department to clarify its internal cyber hierarchy. During a House Armed Services Committee review of the National Defense Authorization Act, the committee adopted an amendment by Rep. Don Bacon, R-Nebraska, that would require the Department of Homeland Security and the Infrastructure and Security Agency Cyber Security Act (CISA) will outline establishing roles and responsibilities in cyberspace for each component agency and clarify how those roles would interact in the face of an incident response commitment within the federal government.
Tatyana Bolton, director of cybersecurity policy and emerging technologies at R-Street, who was also a senior adviser to the Cyberspace Solarium Commission, told SC Media that internal consistency in cybersecurity activities between component agencies of the same department is a real problem within the federal government. and the military specifically.
“As with anything, it’s about power and access. Most major agencies do not have one office, but multiple offices that deal with cyber security, and not one, but multiple leaders vying to be the “senior advisor” on cyber matters. Nowhere is that fight more real than at the Department of Defense, given its enormous breadth of responsibility,” Bolton said.
Mark Montgomery, who served as executive director of the Solarium and helped write many specific Defense Department recommendations that have passed into U.S. law, said the language reflects frustration in Congress and others that defense leaders defense have not been able to outline a clear vision. of how its cybersecurity hierarchy works despite multiple efforts in recent years to get answers. This failure comes even as the creation of the Office of the National Cyber Director, a key Solarium recommendation adopted by lawmakers, and the further empowerment of CISA have brought more coherence to how civilian agencies approach cyber.
“We’ve provided a lot of guidance to the Department of Defense over the last three [defense authorization] cycles and, to some degree, they have to start explaining what their new organization is like,” said Montgomery, now senior director of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies, a nonprofit policy organization. aggressive exterior. I am looking purely at the [Office of the Secretary of Defense] staff organizations, it hasn’t gotten cleaner and more efficient, and I would contrast this with the non-DoD side of government, which I think has gotten significantly better organized and efficient.”
While Chris Inglis, the first director appointee, has made it his mantra to further detail cybersecurity roles inside and outside of government, Bolton said that inside the Defense Department, it’s still very much a turf battle between two components that have the greatest influence over cyber operations: US Cyber Command and the Office of the Secretary of Defense for Policy.
“Solving this problem is not as easy as requesting a report from Congress, but I applaud Congress for trying,” he said.
Montgomery believes it’s “very clear” that the department needs something akin to a cyber deputy secretary of defense who can act as the chief cybersecurity policy adviser to the secretary of defense. Without a dedicated cyber branch of the military (Montgomery said the Solarium and lawmakers tossed around the idea, but the Trump administration was more interested in creating a new Space Force), Defense Department cyber operations need to be more organized. at the top because “you don’t have that unity of command that would have given you a single force.
Partnerships for Information Sharing and the Cyber Workforce
The legislation also requires the department’s chief information office to seek opportunities to collaborate with CISA on a shared commercial cyber threat intelligence service. CISA has already established a program to offer similar services to other civilian agencies, state fusion centers, and information sharing and analysis centers, and lawmakers on the committee believe it’s an idea the Pentagon should adopt for its own cybersecurity ecosystem. It also directs the secretary of defense to provide “supplementary support” to CISA where needed to respond to attacks from countries such as Russia and China.
Earlier this year, Cyber Command announced a partnership with dozens of universities and colleges dedicated to building the nation’s cybersecurity workforce and familiarizing students with military cyber programs. The partnership, part of the agency’s academic engagement network, will provide university students with access to guest speakers from U.S. CyberCom officials, non-public webinars on “urgent technical issues and non-technical issues” at cyberspace and other communications about changes in the military agency’s cyber domain. Similar efforts across the department to engage and prepare college students for a post-graduation cybersecurity career could help reduce bureaucratic hurdles and delays that prevent the Department of Defense and other departments from hiring as quickly as their competitors. from the private sector.
“The Committee believes that the Department of Defense should collaborate with colleges and universities to recruit cyber students during their junior or senior years, with the intent that upon graduation the student will have a full security clearance,” the committee wrote.