Software giant Microsoft has added its voice to a growing chorus calling for the creation of a federal cybersecurity agency to coordinate the U.S. government’s response to nation-state and cyber criminal threats.
In a blog post on Monday, Microsoft’s Senior Director of Trustworthy Computing, Paul Nicholas, called on the U.S. and other nations to replace ad-hoc efforts to address cyber threats by creating a “single national cybersecurity agency” that will pull together key government functions related to information security and “ensure policies are prioritized across the nation.”
The recommendation, which Microsoft described in a whitepaper (PDF), comes amid increasing concern that events are overtaking governments, leaving the world vulnerable to catastrophes that may have their origins in activities that take place on the Internet. Speaking in Lisbon, Portugal on Monday, U.N. Secretary Antonio Guterres called for the creation of global rules that minimize the impact of electronic warfare on civilian populations.
“Episodes of cyber warfare between states already exist. What is worse is that there is no regulatory scheme for that type of warfare, it is not clear how the Geneva Convention or international humanitarian law applies to it,” Guterres said in the speech, which was given at the University of Lisbon, Reuters reported.
Despite that, national efforts to address cyber threats vary greatly from country to country, Nicholas wrote for Microsoft. Efforts range from dedicated government bodies that are tasked with cyber security to delegated responsibility center on departments within existing government ministries to law enforcement based programs that emphasize incident response by way of police and government computer emergency response teams (CERTs).
In the U.S., a wide range of different federal agencies have a hand in responding to cybersecurity incidents. The Department of Justice has both the FBI and the National Cyber Investigative Joint Task Force (NCIJTF). The Department of Homeland Security has a role, as does the Office of the Director of National Intelligence (DNI) through the Cyber Threat Intelligence Integration Center. Broadening the scope from just incident response, the FTC the US Secret Service and the National Institute of Standards and Technology (NIST) all play a part in the nation’s cyber security readiness. Just last week, the Department of Energy announced it was setting up an Office of Cybersecurity, Energy Security and Emergency Response (CESER) – yet another Federal Government body with a purview that extends to cyber threats, insofar as they target energy infrastructure.
Writing for Microsoft, Nicholas advocated a different approach, with a single agency that can consolidate cyber security expertise, even as use cases “cut across many ‘traditional’ government agency policy areas, such as justice, treasury, defense, or foreign affairs.” “Having a centralized authority will help establish a horizontal baseline of cybersecurity best practices which the different sector-specific verticals can build off,” he wrote.
That agency should be broken up into five areas, responsible for policy and planning, outreach, communications, operations and regulations. Together, the agency will handle everything from the development of cyber security policies and practices to their implementation and coordination across government and private sector institutions to compliance with those policies.
The issue of cyber risk has taken on increased importance in recent years, following destructive cyber attacks by the WannaCry and NotPetya malware in May and June of 2017. Those incidents were attributed to nation-backed hacking groups linked to the governments of North Korea and Russia, respectively. The US joined the government of the UK earlier this month in pointing the finger of blame at Russia for NotPetya, which caused billions in damages to western firms and affected some 2,000 businesses, government agencies and civil society organizations in Ukraine.
The recent indictment of 13 Russian nationals and groups working within Russia for a broad conspiracy to undermine the 2016 Presidential Election in the U.S. and the apparent continued efforts on behalf of foreign adversaries to promote social unrest has also stoked interest in the need to coordinate efforts to secure critical infrastructure such as voting and vote tabulation machines from tampering.