The time has come to play taps for the vaunted defensive arm of the National Security Agency, the Information Assurance Directorate (known among cyber peeps as IAD). Last month, the NSA merged into an Operations Directorate that will combine the NSA’s espionage mission (signals intelligence) with its cyberdefense function.
There is no doubt that integrating intelligence and defensive forces more tightly will lead to greater agility. Cyber operations are more like soccer than American football. Much like soccer, in cyberspace the offense and defense play together on the same field, at the same time.
It’s also true that multiple authorities used in collaboration maximizes effect. Indeed, the Justice Department has made a similar argument for years – that by using both law enforcement and counter-intelligence authorities, the DOJ and the Federal Bureau of Investigation can be much more effective in stopping cybercrime that has criminal, espionage and terrorist elements. And while reorganizations are sometimes pooh-poohed as only “rearranging the deck chairs,” I agree with the NSA — where you place the deck chairs matters.
Here, NSA is maximizing its operational effectiveness. But this new organizational structure doesn’t only have the effect of more agile capabilities, it has others as well.
First, there are risks to privacy. Integrating signals’ intelligence and cybersecurity more tightly means that information will be shared more rapidly and seamlessly. That means that restrictions on information sharing and use, for privacy or other reasons, will be harder to police and enforce – not impossible, just harder. A full examination of operational controls and oversight mechanisms under the new organization is absolutely critical.
Second, there are risks regarding the level and transparency of effort for protecting networks and infrastructure. To quote another aphorism, “where you stand depends on where you sit,” and NSA’s cybersecurity (information assurance) people now sit somewhere else. Of course, they are not changing agencies, but the IAD team is moving from a Directorate focused on “Information Assurance” to one focused on “Computer Network Operations…to gain a decision advantage for the Nation and our allies under all circumstances.” Even though that “decision advantage” depends in part on defense, defense and offense combined is significantly different as a Directorate goal than defense only. Time will tell whether we see a difference in what was “IAD,” does or shares.
Third, there are risks regarding collaboration with industry, which is increasingly important in our interconnected world. The NSA has had a great history of working with the private sector going back at least to the Rainbow books, but those relationships have already been strained in a post-Cyber Command, post-Snowden world. Companies, NGOs and others can no longer have a relationship with IAD. Instead the private sector has to have a relationship with the “Operations Directorate” responsible for gaining a “decision advantage” for the United States. That may be harder to sustain and may impose economic consequences on companies that do work with the NSA on its cybersecurity mission.
But the government has overcome these concerns. Exponentially increasing cyber threats, which recently expanded to risking the integrity of our presidential electoral process, must seem to require a doubling down on cybersecurity power. The NSA reorganization seems to reflect a foundational belief that the internet is a domain of battle and intelligence, and that survival requires that other sacrifices be made to be the best in that arena.
We are moving even further toward the rules of the strongest, rather than the rule of law. Even if that is the right answer, it’s a sad one for us all. Cue the bugler.
Phillip Reitinger is president and CEO of the Global Cyber Alliance, an international, cross-sector effort designed to confront, address and prevent malicious cyber activity. Reitinger is the former deputy undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Submission guidelines can be found here.