Lincoln Davidson is a research associate for Asia Studies at the Council on Foreign Relations.
Republican presidential candidate Ben Carson released a document last week outlining how his administration would deal with challenges to cybersecurity, making him the second candidate from either party to lay out a comprehensive proposal on cyber (the first was Jeb Bush, whose plan we looked at here). Carson argues that the United States’ reliance on the Internet makes cybersecurity an issue of critical national importance, and that a centrally-coordinated response is necessary if the country wishes to secure cyberspace “without stifling the creativity and freedom” it has brought.
Cybersecurity is like the space race. The importance of the Internet and the United States’ reliance on information and communications technologies (ICTs) is increasing rapidly, and we risk falling behind the numerous adversaries—both state and non-state—seeking to exploit weaknesses in our cyber defenses. To do so, Carson argues, we need a new space race, but for cyberspace. That means a bold vision from the United States’ leader to motivate the American people “to make America the unquestioned cyber power on the planet.”
Everyone has to get involved. Confronting the numerous challenges to cybersecurity will require action by individuals, the private sector, and the government. Carson says that United States citizens “cherish the Second Amendment for our right to self protection [and] we must apply this same zeal to protecting our computers.” While he believes that the government is not responsible for private sector networks, Carson argues that the government needs to incentivize companies to increase their defenses and share information on cyber incidents with law enforcement officials. Within the government, civilian agencies that deal with cyber need to keep on doing the things they’re currently doing, while the military must maintain dominance in the cyber domain, to provide both cyber defense and offense to help achieve military objectives.
The United States needs a new NASA—for cyberspace. According to Carson, “our current national approach to cyber security is disjointed and ineffective.” To fix this, he proposes a “National Cyber Security Administration (NCSA)” to “organize and streamline our efforts to secure America’s online presence.” The NCSA would coordinate the cybersecurity efforts of federal agencies and private firms and serve as a one-stop shop in the government for all things cyber.
Viability and Impact
Carson contends that “the NCSA is not a new federal bureaucracy,” it would simply consolidate all the cybersecurity-related functions currently spread across the federal government. However, the specific proposals he lists all emphasize its role as a coordinator, rather than a centralized unit. For example, he writes that the NCSA will help the FBI and US-CERT to take down botnets and that it will work with all government agencies to assist them in preparing cyber emergency preparedness plans. This proposal sounds like an expansion of the White House cybersecurity coordinator’s office into an entire agency, which seems to be the creation of a new federal bureaucracy. The only area in which it seems that Carson’s NCSA would actually cut down bureaucracy would be in centralizing the best practices for online security and privacy that different government agencies currently advocate for.
Semantics aside, almost all of the functions of the NCSA that Carson lists—education, best practices, vulnerability research, emergency preparedness, working with cybersecurity research “centers of excellence,” and privacy and civil liberties protection—are already carried out by the Department of Homeland Security. It’s not clear how putting all of those functions in a different agency would be any more effective than the status quo.
More importantly, is this centralization actually a good idea?
For instance, with regard to best practices, it’s arguable that this has already been done. The NIST Cybersecurity Framework is currently the gold standard for cybersecurity across the government and private sectors. Yes, there are some sector-specific standards proposed by different regulators, such as the Federal Energy Regulatory Commission’s grid reliability standards, but that’s a good thing.
By the same token, it’s not clear that pulling resources from departments across the federal government that are specialized in cyber and already have some expertise in that area just to recreate their functions in a new agency would make U.S. networks more secure than they currently are. Early on in his proposal, Carson emphasizes the extent to which the Internet and ICTs permeate every aspect of modern life. This is no less true for the functions of government. Although there needs to be dialogue between the cyber departments of different agencies to ensure silos don’t develop, it’s also beneficial to have different approaches tailored to the objectives of each agency.
However, the greatest failing of Carson’s cybersecurity strategy is that it assumes there’s a clear end goal in cybersecurity. When Kennedy announced that the United States would put a man on moon before the decade was out, there was a clear objective the whole nation could look to. With security, there’s nothing of the sort. Security is a constantly moving target. On top of that, declaring that a system is secure is saying you’ve eliminated all unknowns. Not so with the moon landing; in that case, we could look at the moon dust on Neil Armstrong’s boots as definitive proof he’d actually made it.