Central Cyber Sec. Agency Would Partner With Industry, Share Intel

Ret. Gen. David Petraeus Describes Vision Of 'NCA'



Dan Gunderman
09/12/2018

Cyber security is one of the biggest threats organizations, enterprises and governments face. Today, cyber-attacks reign supreme, with the potential to knock a nation off its electrical grid, disrupt the electoral process or intrude in the global financial market.

Many political experts and pundits have also labeled cyber security as a top challenge for today’s lawmakers. In the U.S., specifically, both Republican and Democratic Congressmen agree that the security of federal, state, local and private networks must be a priority. If it’s not, and security posture falls by the wayside, many are predicting a Sept. 11-like attack, this time delivered via the web.

Well-known retired General, David Petraeus, recently penned a column for Politico about the utmost importance of cyber controls, and the consequences of ignorance.

Petraeus, who commanded coalition forces in Iraq and Afghanistan, served as the director of the CIA and is now a partner in the global investment firm KKR and a member of the board of Optiv, a cyber security services firm, said, “Our most critical infrastructure systems are vulnerable to malicious foreign cyberactivity and, despite considerable effort, the collective response has been inadequate. As Director of National Intelligence Dan Coats ominously warned, ‘The warning lights are blinking red.’”

Petraeus then took time to outline current cyber security initiatives. And, while they are strong, he said they must be amplified to meet the need of today’s threat landscape. In the Politico piece, co-authored by Kiran Sridhar, Petraeus said while cyber-threats have changed, the national approach to cyber defense has not.

See Related: DHS Updating Reporting Metrics For Cyber-Incidents

“The Department of Homeland Security is currently the federal entity responsible for protection of critical infrastructure from cyberattacks; however, although Secretary of Homeland Security Kirstjen Nielsen has pursued a number of commendable cybersecurity initiatives, her agency has such a vast portfolio of responsibilities that it can’t possibly give cybersecurity the attention and resources it requires,” Petraeus wrote. “The department’s cybersecurity strategy was submitted over a year late, the organization lacks a sufficient ‘brand’ to recruit and retain top talent, and many companies have proven reluctant to collaborate with it.”

He cited a “piecemeal” response outside of Homeland Security, too, suggesting that initiatives at all levels of government, and for critical infrastructure operators, have been “hampered by a lack of coordination and resources.”

Petraeus’ solution would require an act of the Executive Branch, effectively creating a new agency to double down on cyber-defense. Petraeus calls it the “National Cybersecurity Agency” (NCA), a body that would promote cyber-awareness, share information, collaborate with the private sector and infrastructure operators, report to the president, have the ears of Congress, and remove some of the burden off the DHS.

Petraeus wrote, “The NCA would fill yet another critical need in providing an effective coordinating body with the authority to convene companies and government agencies at all levels. This is particularly important as the government’s cyber response has become even more siloed since the elimination of the Cyber Coordinator role in the White House.”

[Photo: Dominic Dudley/Shutterstock.com]
General David Petraeus (above), speaking at defense think-tank RUSI, in London on March 4, 2016. Petraeus recently outlined his vision of a central cyber security agency, facilitating partnerships with industry.

 

The retired general also provided five key pillars of the NCA, and right from the outset: authority, oversight, investment, information sharing and talent.

In “oversight,” the Politico contributor outlined a task that would likely improve communication and partnerships with the public sector. As such, many NCA principles would, in theory, carry to the private sector – a space keen on governing frameworks and benchmarking activities.

See Related: DHS Cyber Security Initiative Plans To Partner Public & Private Sectors

Petraeus wrote: “The NCA wouldn’t supplant existing regulators with sector-specific expertise; rather, it would build upon existing private-public security collaborations – which have proved particularly successful in the financial industry – by gathering industry regulators and leading companies to develop standards and protocols.”

Because of the growth of cyber-weapons, the contributor pointed to gaps in infrastructure and software, leaving serious vulnerabilities. However, an NCA relationship with industry would, in theory, help close the gap.

He added: “(And) when it comes to information-sharing, however, a study by the Government Accountability Office documented a complex regime of inadequately defined agency roles and insufficient resources and knowledge.”

It’s here, with heightened information-sharing, where a hypothetical NCA would boost rapport with industry, and leading vendors with swarms of threat intelligence. What’s more, standards and protocols established by the NCA could then set the proverbial bar for emerging enterprises looking to boost their own maturity.

Petraeus called the NCA the “single clearinghouse needed by government and industry, coordinating real-time updates on attacks, threats and vulnerabilities.”

Cultural shifts and awareness around NCA functions might also help combat the talent crisis – both within the public sector, and mirrored outward. Petraeus cited a Harvard Belfer Center estimate that the federal government faces a deficit of 10,000 cyber security professionals. Elsewhere, Cybersecurity Ventures has cited a potential jobs shortfall of 3.5 million by 2021.

Perhaps concerted efforts within an NCA would build trust, awareness and the wherewithal to combat burgeoning threats. It seems like a natural progression for the space; and many of its efficiencies can be carried over to the private sector.

Be Sure To Check Out: Certifications A Part Of 'Vicious Circle' In Cyber Security Space?