Commentary

Commentary: Homeland Security makes the right moves to bolster our cybersecurity

By: Francis Taylor

This piece originally appeared in The Hill, August 2, 2019

If there is one thing that was learned from the 2016 presidential election, it is that protecting our election infrastructure cannot be only a passive decision. There is a need to be proactively assessing our environment to ensure that we are implementing the cybersecurity features that fortify our systems and, ultimately, our American democracy. This is where the Cybersecurity and Infrastructure Security Agency comes into full play.

The Cybersecurity and Infrastructure Security Agency was inaugurated in 2018 as a component within the Department of Homeland Security. Its primary objectives are to lead cybersecurity efforts across the federal government and to work with the critical infrastructure community to help protect their networks. But it was not conceptualized solely on the basis of Russian interference. The evolving concerns that the Cybersecurity and Infrastructure Security Agency plans to prioritize as it is now entering its second year include supply chain, 5G networks, and election security.

Standing up the Cybersecurity and Infrastructure Security Agency last fall, an effort that was started by the Obama administration but realized by President Trump, has signaled cybersecurity as a priority deserving of greater resources. Top Department of Homeland Security officials had been championing the decision, advocating that the creation of the Cybersecurity and Infrastructure Security Agency was necessary for streamlining its goals. It is able to act more independently, like how the Federal Emergency Management Agency operates, so barriers to decision making are eliminated, and responses are more efficient and successful.

Under the leadership of Chris Krebs, the Cybersecurity and Infrastructure Security Agency has initiated a solid roadmap outlining how it will fully mature its capabilities over the next two years. While it may appear to be acting similarly to an intelligence agency through its information sharing efforts, there is a major distinction in that it will operate transparently. This is a huge win for all its civilian, private sector, and government partners navigating the complex cybersecurity landscape.

The Cybersecurity and Infrastructure Security Agency understands that a majority of our cybersecurity infrastructure resides in the private sector and is committed to taking actions to counter threats that extend beyond government systems. This means it will work closely with cybersecurity infrastructure entities to understand what they themselves perceive to be the greatest risks to their systems. This not only improves the efficacy of solutions, but it helps achieve buy in, which greatly strengthens efforts.

Still, the Cybersecurity and Infrastructure Security Agency exhibits both form and function. There are new emerging cyberthreats that are rapidly changing and advancing, including the durability of the supply chain. Cybercriminals and foreign adversaries have demonstrated the ability to exploit vulnerabilities in the supply chain, gaining access to sensitive data. These perpetrators are acting strategically to disrupt our systems, and the Cybersecurity and Infrastructure Security Agency is expected to exercise collective defense to manage these risks and share actionable intelligence with important network defenders positioned to act on it.

One resource that the Cybersecurity and Infrastructure Security Agency now relies on is its Information and Communication Technologies Supply Chain Risk Management Task Force that is comprised of federal partners and dozens of the largest companies in the information technology and communications sectors. Its participants are crafting strong proposals to manage several weaknesses in the international technology supply chain.

It comes as no surprise that another focal point is 5G. However, with the advantages of 5G come the downsides, as there are greater opportunities for our adversaries such as China to gain access to our networks and for insecure technology to gain outsized market share. To defend against all these  new threats, the Cybersecurity and Infrastructure Security Agency coordinates with the Department of State, the Department of Commerce, the Federal Communications Commission, and the White House. This is necessary to determine risk mitigation strategies, such as mandating all 5G technology be interoperable, or banning some providers like Huawei.

But what about election security? Was that not the driving force in establishing the Cybersecurity and Infrastructure Security Agency? It is indeed working to expand upon the relationships with state and local election officials and voting machine vendors that emerged from the 2018 midterm elections. The Department of Homeland Security now finally recognizes elections as part of our cybersecurity infrastructure, and so engagements with these partners has been paramount to understanding how they operate. Collaboration between state and local election officials and the federal government is a major factor in incentivizing the patching of election systems and helping the Cybersecurity and Infrastructure Security Agency achieve its goal of 100 percent auditability by 2020.

The Department of Homeland Security is a proven government leader by launching the Cybersecurity and Infrastructure Security Agency to focus on emerging cyberthreats. With this leadership comes the responsibility to integrate and coordinate with the private sector to ensure secure and sustainable partnerships. Connecting these entities will inform decision making and provide pathways for innovation and intelligence sharing.

Francis Taylor served as undersecretary for intelligence and analysis at the Department of Homeland Security and as assistant secretary for diplomatic security at the Department of State now with Cambridge Global Advisors.

Commentary: China's Lost Decade?

By: Christopher Burnham, CGA Chairman

No big news that China’s economy is the slowest it has been in decades. It had to slow, just the way Japan’s economy doubled every ten years from the ashes of World War II to become the second largest in the world, and then crashed in 1990 starting Japan’s “Lost Decade” (the Nikkei crashed more than 80%).

China’s economy has been growing much faster than that, and even if you cut their reported GDP numbers in half, which one World Bank analysis said was appropriate—see my Forbes column from last November – it is still a massively impressive resurrection from the failure of Mao’s “Great Leaps”.

Recent reports, however, portend a troubled economic future for China, which they could avoid through a trade deal with the U.S.

The three drivers of immediate concern for this potential catastrophe are the following: their massive credit expansion, African swine fever, and a Fall Armyworm infestation. Longer term items that threaten a stable China are a rapidly aging population and soon to be shrinking work force, the inability to restructure bloated and inefficient companies, an asset/real estate bubble similar to what Japan experienced, and increasing competition in manufacturing driven by robotics. The restructuring issue is an interesting one, because the Chinese Government prevents companies from downsizing their labor force. Many companies have systemic and unsustainable fixed labor costs that can’t be restructured lest the companies be criticized and punished by political authorities. 

For the immediate concerns, the International Institute of Finance’s recent Global Debt Monitor Report, and the well-articulated interview with Ariel Investment’s CIO, Rupal J. Bhansali, points out that China’s credit growth for the past ten years has ballooned from about $9 trillion to over $41 trillion. This is more than twice the debt load of the U.S. and more than four times that of Japan. 

The good news is that the Hong Kong-based data company, CEIC, estimates that there is more than $27 trillion in private deposits in China, and with a government as powerful as President Xi’s, certainly they can use the power of eminent domain to seize some of those deposits to stave off economic collapse—this is actually been relabeled by some of the Democrats running for president this year, a “wealth tax”. Perhaps that is why the real estate bubble continues to grow as it may be safer to keep money in real assets versus the local state owned bank—or the mattress, given an additional threat of inflation.

The second immediate threat is the growing spread of swine fever in China that is devastating the hog population. China loves pork, which accounts for 60% of all meat consumption in China, and they produce almost 50% of all pork in the world (compared with only 11% for the U.S.) But the Chinese government has reported that the sow herd in China has dropped over 24% and private estimates have doubled that figure.

China’s agricultural ministry has estimated that pork prices could surge as much as 70% this year. You might as well double that as well. There are 500 million Chinese poor who live on less than $5 a day, and perhaps as many as 150 million who live on less than $2 a day. Surging pork prices, and the concurrent increase in demand (and prices) for chicken, will not be good for impoverished rural China.

The third shoe to drop is the Fall Armyworm (FAW) infestation. A USDA report from May stated, “FAW has no natural predators in China and its presence may result in lower production and crop quality of corn, rice, wheat, sorghum, sugarcane, cotton, soybean and peanuts among other cash crops.”

In previous infestations, the United Nations Food & Agricultural Organization has estimated that up to half the country’s crop could get wiped out. This is more bad news for China’s poor. With protests in Hong Kong attracting as many as 2 million participants, one wonders how long it will be before 500 million “peasants”—the word used by a very senior Chinese official to me ten years ago in reference to China’ rural poor—rise up. There is an old expression in China, “In order to keep the mandate from heaven, you must fill the bowls.” Filling the rice bowls could become Xi’s number one problem this year.

As Ms. Bhansali points out in her interview, the slowdown in China has nothing to do with the tariffs, but more with the Harvard educated central bankers of China finally saying “no more credit expansion.” However, with potential food shortages in the near future, China needs to lower their retaliatory tariffs on US food products immediately. President Xi can say that this is out of a gesture of good will to restart a broader trade agreement and fudge the real reason.

Regardless, China is in deep trouble and they need a trade deal now. President Trump rightly continues to push for fair (pari passu) trade with China, something the past six U.S. administrations have failed to achieve. The Trump administration and American industry also want China to stop stealing our technology and stop their massive subsidy of state-owned enterprises which undermine reasonable competition from ALL other nations. 

For their part, China wants the U.S. to stop blocking Huawei from participating in building out the worldwide 5G network. Besides the obvious security concerns, Huawei also lacks interoperability with other providers, reminiscent of 19th Century railroad robber barons who built their tracks to different gauges to stifle competition. Keeping competitors from being able to share their tracks was and is, a classic monopolistic tactic. However, there can be no trade deal without 5G interoperability as part of it. 

China needs a trade agreement now to keep the rice bowls full and to stave off a Japan-like “lost decade.” It cannot wait until November 2020.

This piece originally appeared in Forbes on July 19, 2019.

Commentary: Protecting Europe from China will strengthen the future of NATO

This op-ed originally appeared in EURACTIVE online on June 19, 2019

By: Douglas Lute

NATO, the world’s oldest and most successful alliance, recently turned 70 years old. As a report from Harvard’s Belfer Center explains, the Alliance faces a daunting array of challenges, including some that are familiar like defence spending and Russian aggression.

Other challenges are only now emerging and will become increasingly important in coming years. Especially pressing is the growing strategic competition between the Western alliance and China, which will likely dominate the world scene for the next several decades.

Today the competition with China is mostly economic, not military, but NATO members need to pay attention. Chinese economic investments today can lead to political influence tomorrow, and also have security implications. China’s annual foreign direct investment in Europe grew to $420 billion in 2017, a fifty-fold increase over a decade.

As part of the Belt and Road Initiative, China focuses investments on transportation and communications infrastructure, vital connections to Europe’s huge market with 500 million consumers and one-fourth of global GDP.

With these huge investments, China will gain political influence within European Union governments, as we have already seen in several cases. As political divisions widen within both NATO and the EU, cohesion erodes and these key institutions will struggle to attain consensus on how to address this challenge.

The competition with China includes emerging digital technologies that have significant security implications. Artificial intelligence, quantum computing, robotics and biotechnology may revolutionise warfare, perhaps on the scale of the changes brought on with the development of nuclear weapons in the early years of NATO.

Most attention today centres on the competition for 5G communications networks. While Chinese-made 5G infrastructure tends to be less expensive, it introduces new vulnerabilities because of the potential for the Chinese government to gain access to the networks and the data that travels across them.

Neither economic nor security concerns are likely to completely dominate in the European market as individual Member States weigh costs, benefits and risks. As it stands, the European 5G market is poised to contain a significant amount of Chinese infrastructure.

Economic factors can be balanced with security concerns. European governments can leverage contractual, regulatory and technological tools to mitigate security risks. For example, mandating interoperability between 5G technological components would ensure that one manufacturer, such as China’s Huawei, does not dominate the market.

Without careful coordination among allies to agree on reasonable security measures,  5G competition threatens to divide NATO and the EU politically, lead to barriers to integration, and reduce the overall benefit of 5G to European consumers.

While 5G is the current hot topic, it is just the beginning of competition with China in emerging technologies. In the coming decades, even more sophisticated data-based technologies will mean that both America and the European Union face a long term, geo-strategic competition with China.

Some of these technologies will have even more direct implications for national and Alliance security than 5G, changing fundamentally how NATO deters and, if necessary, fights wars.

Now is the time for NATO — and its most important partner, the EU – to wake up to the challenge from China, while it is still primarily economic and not yet military. Together, the US and NATO allies comprise about 50% of global GDP.

The trans-Atlantic alliance is a strategic advantage for both America and Europe that China cannot match – if we act together. As the competition with China is mainly economic and political, it should be a priority topic for US-EU and NATO-EU consultations.

For example, the US should welcome recent EU initiatives to implement measures to control foreign investment, similar to the Committee on Foreign Investment in the United States (CFIUS). The competition for 5G in Europe is only the opening round in the strategic competition with China.

America and Europe, joined together in NATO, are stronger together.

Commentary: 5G risk is about more than simply securing competitive advantage

This op-ed originally appeared in The Hill on May 17, 2019.

By: Nate Snyder

The dawning of 5G capabilities will revolutionize our telecommunications and online networks. Data transport speeds will increase to 10 times faster than what they are with 4G. As countries across the globe discover and develop new 5G innovations, so too will terrorist organizations, private actors, and lone offenders. If there is a new technology breakthrough with the public at large, it will no doubt be leveraged by bad actors who will develop and discover their own insidious innovations and exploitations.

While working on counterterrorism efforts at the Department of Homeland Security during the Obama administration, I became familiar with how private actors and terrorist organizations exploit any vulnerabilities they can, especially when it comes to online networks and using the internet. These bad actors exploit network vulnerabilities to target and disrupt critical infrastructure, and access and exploit information and people.

It is no secret that the Chinese government has built in capabilities to control the online access of its own citizens. It is also widely known that Huawei is essentially state controlled and influenced. Reports note the company is 99 percent answerable to the Chinese government. Various backdoors, control measures, and surveillance applications have been built directly into the “Great Firewall” of Chinese online infrastructure.

Many of these surreptitious access points and controls are coded into core software and engineered into hardware. While at the Department of Homeland Security, I met with a senior Chinese counterterrorism delegation. I asked them how they address online radicalization to violence. Without hesitation, they replied, “We turn the internet off.” If the Chinese government uses these vulnerabilities to its advantage, you can guarantee that terrorist organizations will also seek to exploit them.

That explains why Prime Minister Theresa May announcing that the United Kingdom will allow Huawei to build noncore 5G functions is a significant problem. Not only is it a British security risk, but it also affects American and allied security. Allowing Huawei onto our collective 5G networks would be like inviting inside a Trojan horse that can be exploited by the Chinese government and other bad actors. The British government has cited compromising vulnerabilities in the Huawei supply chain. Several years ago Vodafone discovered security flaws in Huawei software that, while not fatal, continue to compromise the reputation of the company.

Because of these software and hardware vulnerabilities, likely created with purpose, Huawei and the Chinese 5G supply chain cannot be trusted. The supply chain security is beyond suspicious, and some American allies have already banned the use of Huawei 5G technology. Since the Huawei and Chinese 5G supply chain has more holes than Swiss cheese, it is fair to expect not if but when bad actors will exploit these vulnerabilities.

Some of the greatest deterrents we have against terrorists using online networks and the internet are awareness and intelligence. With Huawei potentially holding a monopoly on the flow and curation of 5G information across the globe, who knows if it will allow adequate access to investigate terrorist threats, emerging trends, threat vectors, and critical data. Huawei will essentially become an all knowing information provider and could handicap the United States and allied intelligence communities. Imagine the embarrassment of relying on Huawei for intelligence to investigate domestic terrorist threats in our own backyard, let alone the potential international ramifications. Even if access is given, the information could be suspicious. Needless to say, bad actors will exploit these blind spots.

The United States should lead the fight for shared principles and ensure competition and interoperability among technology vendors. The Trump administration should focus on building a coalition of our closest allies instead of ridiculing them. This key coalition should push for mandating interoperability among technology providers, ensuring that one company does not become the sole provider for unimagined future technologies like 6G, and tackling risks through diversification and threat dispersion.

The coalition should also demand that Huawei provide the interoperable technology to strengthen noncore technology. Without diversity of secure technology in the 5G ecosystem, the United States leaves itself open to exploitation. Should these demands not be met, the coalition will need to develop new information sharing agreements to mitigate the simple fact that Huawei cannot be a trusted reliable information provider. The United States, along with our closest allies, should lead in the race to develop forward looking and competitive 5G infrastructure technology and policy, or risk falling prey to bad actors. If we are able to get our act together, we still have the opportunity to positively impact 5G development, but we must act now before it is too late. Our national security depends on it.

Nate Snyder is a senior advisor with Cambridge Global Advisors. He was a senior counterterrorism official with the Department of Homeland Security and the Countering Violent Extremism Task Force under President Obama.

Commentary: 5G Is The Essential National Security Imperative Of Our Time

By: Christopher Burnham

The hype around 5G is real—it will change how we communicate, travel, fight wars, drive (or not drive) cars, and educate our children. It will also change how doctors operate and treat and heal the sick. It is the most important modernization of our infrastructure that we can do until quantum computing is perfected. It is also the single most important national security imperative for the US for the next ten years.

In the race to 5G, it’s clear that the Chinese have an advantage because their government can tell companies “give back the spectrum we licensed to you”, and then reallocate it to where it can be the most effective in winning the 5G race. Spectrum in the US (think radio waves), has been given away or sold for pennies by the Federal Communications Commission (FCC) for decades. President Lyndon Johnson made $20 million getting the FCC to sell him radio and T.V. spectrum for two Texas stations for pennies back in the 1940s. That certainly has ended in recent years—just in the last four years the FCC has auctioned off two spectrum ranges for more than $50 billion.

Over the past forty years, spectrum for mobile phones, satellite communications and T.V., GPS services, and hundreds of other applications has been awarded by the FCC to jump-start the communications revolution we now take for granted. To fully implement 5G across all communities in the U.S., the FCC must now figure out how to allocate spectrum from the very lowest frequency to incredibly high millimeter wave frequency. The backbone will be (for lack of a better way to describe it) in the middle frequency—or the part that was given away for free to government satellite companies back in the 1960s, that then became the struggling satellite companies of today. This is known as “C-band spectrum”, and you will see the numbers 3.7 to 4.2 gigahertz associated with that band. C-band is what enables you to watch the championship basketball game on cable TV as it is the backhaul for ESPN and other networks.

However, C-band is not the only spectrum needed to fully implement 5G. Lower and higher frequencies are also needed. The trouble is, it’s a trade-off. Low frequency is great at going very long distances and can penetrate buildings, forests, even mountains and oceans if ultra-low frequency. That is how our submarines communicate back to the U.S. from deep within the ocean. The trouble is, low frequency also means low bandwidth. High frequency has enormous bandwidth. But it can only go very short distances, and rain, snow, trees, let alone buildings, can disrupt or block it. That is why at that end of the proposed 5G spectrum, you will need an antenna every couple 100 yards or so versus current cell phone towers today, which are miles apart.

What the FCC must now do is figure out how to get back all this spectrum and auction it to those cellular companies building the 5G backbone. Other countries have recently held highly successful auctions for this spectrum range. Some of the mid-band spectrum is also controlled by the U.S. military—and is essential for radar. Unused portions of this will need to be reallocated to the FCC for auctioning to 5G companies.

This piece originally appeared in Forbes on April 12, 2019.

We’ve Spent Billions on Cybersecurity: How Are We Doing?

This commentary originally appeared in Homeland Security Today, January 30, 2019.

Protecting America’s critical infrastructure — essential to our everyday life — from cyber attacks remains one of our nation’s most important missions. How are we doing?

Not so good, by some accounts. In 2017, a major MIT report concluded that after spending billions of dollars over the past few decades, our infrastructure is somehow less secure than we were 30 years ago. Its authors conclude that “the vulnerability of the systems that power our nation is a national disgrace.”

And this is not merely a theoretical risk. Last April, the U.S. Department of Homeland Security (DHS)  and the Federal Bureau of Investigation issued an alert regarding the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. In May, the U.S. Department of Justice announced they had stopped a network of more than half a million worldwide web-connected infected devices or “botnets.” And the Office of the Director of National Intelligence has concluded that they “expect that Russia will conduct bolder and more disruptive cyber operations” against our critical infrastructure in 2019.

Despite the recent re-opening of the federal government, Washington will likely remain gridlocked with no consensus plan to protect our critical infrastructure. Without the federal government acting, we will likely end up with a patchwork of potentially confusing and conflicting state and local regulations, which would create a nightmare landscape for business.

Progress, however, is possible and achievable. The same MIT report that paints such a grim picture also concludes that “the pathway to higher ground has been charted.” In addition, a new law was passed in October that formally creates a new federal agency at DHS, the Cybersecurity and Infrastructure Security Agency (CISA), which will become the federal government’s focal point to more strategically catalogue national critical functions and better advise on risk. And while properly organizing and planning is necessary to taking action, so is process. Fortunately, embedded in CISA is a cross-sector, collaborative approach to improving cybersecurity. DHS calls it providing for a collective defense.

So, where do we go from here? Such a process could lead to more widespread adoption of voluntary best practice standards, like the CIS Controls, the set of internationally recognized prioritized actions that form the foundation of basic cyber hygiene — cyber network defense that is demonstrated to prevent 80-90 percent of all known pervasive and dangerous cyber attacks. The Controls, compiled by cybersecurity experts around the world, help implement the goals of the NIST Cybersecurity Framework by providing a blueprint for network operators to improve cybersecurity by identifying specific actions to be done in priority order.

In the oil and natural gas industry – obviously a key sector – most companies already adhere to the NIST framework, and other voluntary standards. For example, a majority of the natural gas pipeline companies that operate about 200,000 miles of pipelines have committed to implementing the updated Transportation and Security Administration (TSA) voluntary pipeline cybersecurity guidelines, further demonstrating the success of public-private collaboration. But not all sectors possess the same resources. Greater adoption of the Controls would further boost critical infrastructure by increasing their ability to defend against common attacks.

There will be no single, silver bullet that magically protects our critical infrastructure from cyber harm. But the CIS Controls and other voluntary best practices are known pathways to stronger cybersecurity. We should redouble our efforts to implement them today.

Brian de Vallance, a former Assistant Secretary for Legislative Affairs at the U.S. Department of Homeland Security, is a senior fellow at the Center for Cyber and Homeland Security at the George Washington University.

Commentary: Energy Sector Cyber Threat Is Real; Greater Collaboration Is Part of the Answer

By: Christopher Burnham & Brian deVallance

This piece originally appeared in Homeland Security Today, October 9, 2018.

In June of 2017, when Wired magazine published a harrowing account of Russia’s hack of the Ukrainian electrical grid, it quickly generated broad discussion about the state of our nation’s cyber defense in the critical infrastructure (CI) sectors. But Washington is nearly 5,000 miles from Kiev, and Russia’s ability to take control of a Ukrainian power company through its IT helpdesk seemed even more remote.

Remote no longer. Dan Coats, the director of National Intelligence, recently testified before Congress that “the warning lights are blinking red again” and that “today the digital infrastructure that serves this country is literally under attack.” In March, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint alert of Russian cyber activity seeking to disrupt the energy and other CI sectors.

While much remains to be done, the U.S. is headed in the right direction on cyber. First, there is growing consensus about what constitutes basic cyber hygiene or cyber defense – for example, the Critical Security Controls from the nonprofit Center for Internet Security. In addition, following the release of the federal government’s National Security Strategy last December, the White House issued its new National Cyber Strategy in September.

Earlier this year the Department of Energy unveiled its new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), and the Senate has confirmed cyber-savvy Karen Evans as the office’s first assistant secretary. Just last week, DOE announced $28 million in technologies intended to improve the cybersecurity of power and energy infrastructure.

At the DHS Cyber Summit in July, Secretary Kirstjen Nielsen announced the creation of the National Risk Management Center (NRMC), DHS’s intended home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure. It is significant that DHS is highlighting the need to continue to build and strengthen partnerships as a part of fortifying American cybersecurity. As former DHS Deputy Secretary Jane Lute has noted, we have not yet decided, as a society, the precise role that government will play in protecting our national cyber resources. This is consistent with DHS’s enterprise approach of needing more than a single federal department to secure the homeland. Instead, we need the active partnership of all of us: state, local, tribal, and territorial (SLTT) governments; federal and SLTT law enforcement; nonprofit best-practice providers; the private sector; and the American public.

Jeanette Manfra, DHS’s assistant secretary for cyber, provides a cogent roadmap: We need to “create this collective defense model, where we all provide capabilities, authorities, and competencies to make cyberspace safer.”

For their part, the various CI sectors have been diligent in working to combat cybersecurity risk. Some CI sectors, like the natural gas industry, have been investing millions in new technologies to improve distributed control systems, cloud-based services, and data analytics. Additionally, sector-specific Information Sharing and Analysis Centers (ISACs) have allowed for improved information sharing between industry and the federal government. Top ISACs include the Multi-State ISAC, the Oil and Natural Gas ISAC, and the Financial Services ISAC, among other ISACs. Other positive industry actions include adopting voluntary best practices like the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; participating in cross-industry exercises like Grid-Ex, where CI sectors practice responding to cyber-attacks; and continually educating employees on the latest cyber risks and threats.

With the establishment of the NRMC, Secretary Nielsen has issued a challenge and an invitation: private industry and the various national security agencies need to work together to help make this cross-sector, public-private partnership model a successful approach to increasing cyber defense in critical infrastructure.

The individual partners are making progress. We must now work together to create a collective defense.

Commentary: DHS’ Big Data Integration Challenge

By Francis X. Taylor

This commentary originally appeared in The Cipher Brief, August 8, 2018.

Department of Homeland Security Secretary Kirstjen Nielsen recently traveled from Washington D.C. to New York with her senior team in tow, to announce the creation of the National Risk Management Center.  It is intended to be DHS’ tip of the spear when it comes to information sharing between the public and private sectors about emerging and sometimes urgent, cyber security threats. 

In an opinion piece posted on CNBC, Nielsen said that the U.S. is not “connecting the dots” quickly enough and said “Between government and the private sector, we have the data needed to disrupt, prevent and mitigate cyberattacks.  But we aren’t sharing fast enough or collaborating deeply enough to keep cyberattacks from spreading or to prevent them in the first place.”

As DHS takes on a new collective defense strategy by putting a premium on public-private information sharing efforts, The Cipher Brief wanted to know a little more about how DHS itself stores and accesses the vast amounts of data it holds. 

Francis Taylor served as DHS’ Under Secretary for Intelligence and Analysis during President Obama’s second term.  One of his priorities was to figure out how DHS could better use data technology tools to increase its operational effectiveness.  It was an issue that he also had to tackle during his time in the private sector, where he worked as Vice President and Chief Security Officer for General Electric. 

Taylor shared his insights with The Cipher Brief, offering a better understanding of the current efforts within DHS to strengthen its capacities, especially at the enterprise level.  We also wanted him to explain what makes integration such a vexing task.

The Cipher Brief: Can you give us some strategic context around data analysis and integration?

Taylor:  Data analysis and integration is critical to how we protect our country and our border. After 9/11 the discussion was about “connecting the dots.” Today there are trillions of dots of information that are available to help us understand what individual, organization or nation- state represent a threat to our people, our country and way of life. Much of that information comes from around the world and allows us to push our analysis beyond our border to regions across the globe. Not only must DHS integrate the data that it collects in the performance of its mission, it must integrate that data with other data from open source, our international partners, and the intelligence and law enforcement communities to have a full picture of the threats we face.

The Cipher Brief:What kinds of data does DHS collect and store?

Taylor: DHS is the third largest department of our government.  DHS components comprise the largest number of federal law enforcement officers in our government and the department conducts its law enforcement mission worldwide.  It interacts daily (and collects information on) U.S. citizens, foreign nationals and U.S. and foreign businesses applying for benefits from the U.S. Government.  DHS also collects data in conjunction with its law enforcement and security missions enforcing U.S. immigration and trade security regimes, immigration violations, citizenship, refugee and asylum applications, and trusted traveler programs.  DHS stores all of this data in more than 900 unconnected databases and the information is kept in silos that are then accessed by the components to perform daily missions. Many of these databases were created long before DHS was established in 2003 and contain old technology that make it difficult to update and integrate.

The Cipher Brief:  How does the issue of data overload negatively impact DHS’ mission to protect the country?

Taylor: I believe that DHS has all the information it needs to proactively defend our country, but the information that is collected is not available to the operators for data analytics that would improve their understanding of threats to our homeland.  The amount of valuable intelligence sitting in DHS data systems is staggering and would be invaluable to DHS and the rest of the U.S. government if it was better analyzed and shared with the appropriate stakeholders.

The Cipher Brief:What is the DHS Information Sharing Enterprise and how does the National Vetting Center (NVC) support the overall mission?

Taylor: The DHS Information sharing enterprise is embodied in the DHS Information Sharing and Safeguarding Governance Board (ISSGB) which is chaired by the DHS Chief Information Officer and the DHS Under Secretary for Intelligence and Analysis. All of the components of the Department are represented on the ISSGB. Unfortunately though, the ISSGB has been largely ineffective in moving the needle within the Department to improve information sharing across the enterprise.  DHS component elements generally do not see value in integrating information across the enterprise.  And there is little incentive to change this paradigm, absent dedicated funding for the enterprise and a clear prioritization of this integration from the Department’s leadership.

The NSC established the National Vetting Center (NVC) in DHS to serve as a focal point for all USG vetting to support travel and border security. It is a logical enhancement to CBP’s National Targeting Center (NTC) that has developed and deployed significant capability in data analytics and integration that improves our understanding of threats to our travel and trade activities as well as our border. NVC envisions building on the NTC foundation to develop even more sophisticated tools and processes to vet individuals applying for benefits within our country.  As the Obama administration was transitioning, former DHS Secretary Jeh Johnson asked all senior staff what we would have done differently, based on what we had learned during our time at the helm.  My answer was that we should have moved ALL vetting for benefits administered by the Department to the National Targeting Center as a government-wide shared service.  My rationale was simple, the Secretary of DHS is the one official in our government that has the final say over who is allowed into our country, but the Secretary does not own the process to ensure that the vetting is effective and continues to improve.  I believe the NVC begins that process and will significantly improve how we make decisions across our government on applications for benefits.

The Cipher Brief: What is the state of DHS data integration and information sharing (i.e. HSIN)?

Taylor: The DHS Data Framework is a joint endeavor by the DHS CIO and Under Secretary for Intelligence and Analysis to build a data lake with the top 20 databases essential to the Department’s vetting and assessment mission. I understand the momentum of the data framework has slowed significantly. I also understand that CBP is driving the data framework as the next level of improvement in information sharing but that DHS headquarters support for initiative is lacking.

The Homeland Security Information Network (HSIN) continues to be the most effective system for DHS to communicate with its state, local, tribal, territorial and private sector partners. But it has real shortcomings.  It needs continued investment to make it more a data sharing platform and not just a communication platform.  HSIN does not allow for data searching and online queries.  This needs to change if the system is to continue to be valuable to DHS stakeholders at every level.

The Cipher Brief:Why is creating DHS-wide searchable data stores so difficult for the Department? Would DHS benefit from a data integration acquisition and standards czar?

Taylor: Most law enforcement organizations are organized to pursue investigating and interdicting wrong doers.  It is the most important aspect of the mission, and I share focus on these priorities.  However, the absence of an integrated data system denies DHS components and others the ability to fully exploitat the information stored in Department systems.  This is inefficient. The lack of an integration function at the headquarters-level makes fixing this shortcoming harder.  The original vision for the Department was to have little centralized-control of operations and to keep operational power within the components.  Each DHS component approaches its missions from its own narrow organizational mission perspective. The components have built processes and procedures from their individual operational perspectives and not from the perspective of how these procedures can be more effectively integrated to meet the collective mission of the Department.  Add to this the fact that budgeting and oversight of the Department is controlled by more than 80 Congressional oversight committees and you can imagine the dysfunction and disincentive to collaborate.

The Cipher Brief: Finally, how do blockchain, advanced encryption or other types of algorithms increase the likelihood of safe data sharing across the DHS Information Sharing Enterprise?

Taylor:  All of the new information analysis technologies will greatly improve information sharing in the Department. Some of this technology is already in use in some of the components; yet it is not systematic and does not optimize the use of these technologies.

Commentary: National Vetting Center a Needed, Not Controversial, Security Asset

By Francis X. Taylor

This commentary originally appeared in Homeland Security Today, June 11, 2018.

For decades the U.S. has screened and vetted those who wish to enter the United States or apply to come to U.S. as visitors, immigrants or refugees. While technology and threats have changed, what has remained the same is the need for our officials on the front lines to have the most up-to- date and accurate information to decide who should or should not be allowed to enter our country.

To that end, earlier this year the National Vetting Center (NVC) was created to strengthen, simplify, and streamline the complex, ad hoc, and sometimes inefficient ways that intelligence is used to inform operational decisions related to screening and vetting. Despite the hype, I believe the NVC should not be viewed as part of the heated national debate on extreme vetting. Instead, the NVC should be viewed as the continuing improvement of effective security processes to improve the security of our travel, immigration and trade infrastructure. Specifically, I believe there are three added benefits to the government and to America’s overall national security posture with the launch of the NVC.

First, the practices and procedures that the U.S. government uses for screening and vetting must be dynamic and continually evolve in terms of throughput, redress, privacy, and accuracy. The NVC is a positive step in that direction. Following the 9/11 terrorist attacks, the U.S. created a system to better protect the homeland against potential terrorists. Lessons learned after each attempted terrorist plot since 9/11 caused the government to incrementally mature the system but never fully institutionalize these best practices in one organization.

While U.S. intelligence, law enforcement and security professionals continue to scour the globe for transnational criminals, spies, drug smugglers and weapons proliferators trying to enter the country illegally or with bad intent, the NVC can serve as a single place to analyze a broader set of applicable government information – with the right privacy regime to ensure that the right analysts have access to the proper information at the right time.

Second, I believe the NVC is a smarter use of the government’s existing knowledge, expertise, and money, as well as a realization of the post-9/11 mission to connect the dots of those transiting to the homeland for nefarious reasons.

Threats are not the only thing that have changed since the turn of the century. Technology has clearly evolved at a near exponential pace. Through the NVC, federal agencies will have the ability to use the NVC’s tools and analytic programs in a consolidated, efficient, and streamlined fashion with greater accuracy and speed than ever before. This approach would allow for secure information sharing at a volume and speed that was not possible just five years ago.

Through the creation of the NVC, the U.S. government will have an agile center that can evolve as the threats to the homeland evolve. The threat picture is ever-evolving and the government needs to move quicker to counter the tools that our adversaries are using. Today’s technology will allow agencies to maintain control of their data and permit it to be accessed securely and only by those with the right and proper authorities for the purpose of a specific, legally authorized screening mission.

Finally, the NCV will allow for better coordination and collaboration. Right now, agencies are screening and vetting people properly and with much success – the system is not broken. But we can do it better. And we can expand the work beyond the counterterrorism-only focus of the past 17 years. The NVC will allow for a “task-force” approach to these activities rather than the ad hoc mechanisms that currently exist. Co-locating vetting analysts from different agencies will allow these trained professionals to collaborate, share information where appropriate and access the expertise that resides within each agency to make better, more timely and more informed decisions – including redress decisions. And this scalable model will provide agencies the flexibility to meet the evolving threats we no doubt will face in the coming years as terrorists, criminals and others change their tactics in an attempt to evade the latest vetting protocols.

As the former Under Secretary for Intelligence and Analysis at Department of Homeland Security (DHS), I helped to tackle these same issues while serving in the last administration. I commend DHS for picking up where we left off. And it is my hope that they can build on our path to strengthen this capability with the right outcomes from the start.

It is important that the NVC is a government asset and does not belong to one department or component. It is also important that the NVC is a truly joint facility that allows assignees from across the interagency to collaborate, co-train, and fuse intelligence and experience within the art of screening and vetting. I wish the first director of the NVC my very best: This problem is not insignificant and yet the solution is ever-critical to the protection of our homeland.

Commentary: Firewalling Democracy: Federal Inaction on a National Security Priority

This piece originally appeared in The Hill, January 31, 2018.

January marked the first anniversary of the U.S. Department of Homeland Security’s designation of elections as “critical infrastructure,” placing them into the category of other physical or virtual sectors — such as food, water and energy — considered so crucial that their protection is necessary to our national security. Naming “elections” as a critical infrastructure sub-sector was a key action taken by then-Secretary Jeh Johnson following an Intelligence Community report about ways Russia sought to meddle in the 2016 elections via a variety of hacking tactics aimed at election offices, voter databases and our larger digital democracy.

At the time, I was serving as DHS Under Secretary for Intelligence and Analysis — and I was encouraged greatly by the critical infrastructure move. Voting administration is a state and local responsibility, but these entities often are overburdened, under-resourced and not exactly versed in Kremlin-based cyber crimes. The announcement reflected a new reality that election security is national security — and it provided enhanced capabilities for the feds to coordinate on election cyber threats.

However, since that optimistic moment 13 months ago, there has been unwillingness at the highest levels of the federal government to act.

On Capitol Hill, it’s taken a year for the Secure Elections Act (S. 2261), to be introduced. Although a positive first step toward ensuring that states have grants and other support to protect their voting systems, the bill’s future is unclear beyond the six bipartisan co-sponsors backing it.

At DHS, scores of mid-level staff — especially within the National Protection and Programs directorate — are working to answer state and local election officials requesting cyber assistance, while at the same time gathering what limited resources exist to prepare for 2018.  But these folks are operating minus top cover from the White House or other cabinet-level leaders, many of whom continue to eschew that Russia is a concern altogether.

As I consider possible reasons for this federal lack of leadership, it appears the fear of attaching oneself to the politics of the past election — rather than tackling the real challenges of the upcoming one — emerges as the most plausible explanation.

For one, it’s not for lack of threat. The vulnerabilities within our democratic infrastructure are deepening every day. In June, DHS announced that voting systems and registration databases in at least 21 states had been the aim of Russian hacking attempts in 2016. Last fall, across the pond, the Brits laid claim that the same Russia-based Twitter accounts that targeted the 2016 U.S. election also employed divisive rhetoric to influence the Brexit referendum. Even as recently as November, news emerged that Russian bots flooded the Federal Communications Commission’s public comment systems — an important democratic forum for Americans to voice opinions — during the net-neutrality debate, generating millions of fake comments.

Federal procrastination is also seemingly not tied to lack of pressure. It is true that DHS’s initial offers for cyber assistance were not embraced by state and locals in past elections. But since last year, there’s been a backlog of requests pouring in. Meanwhile, local election directors such as Cook County, Illinois’ Noah Praetz, have taken it upon themselves to develop election cybersecurity plans, despite no federal backing. Even the hacker community — traditionally allergic to Washington — has been raising the alarm on election security. For example, DEFCON, the world’s largest hacker conference, held an educational voting machine hacking demonstration last summer to show how susceptible election equipment is to cyber attack.

Finally, I surmise absent response is not a factor of the arduous process that is federal policymaking. Historically, when a national security threat to America is imminent, I’ve seen leaders act swiftly, honorably and without regard for politics. In this case, we have waning time to act: The 2018 election season is weeks away with primaries starting in March in Illinois and Texas. And when it comes to Russia’s goal of undermining democracy, they’re not likely to take this cycle off. Indeed, they will most likely apply the lessons of 2016 with a more calculated approach.

After 47 years in working in national security — much of that spent in the military and federal government — I respect the evolving threats facing democracy today. Yet the urgent work at the state and local level to prepare for future elections will be insufficient if it is not fully matched and funded by the federal government.

With new leaders, including DHS Secretary Kirstjen Nielsen, assuming the helm, this is a moment to choose national defense over politics. A window, albeit closing, exists to support state and locals — along with mid-level civil servants — focused on the problem.

In the vital cause to reassure Americans that their democracy can withstand outside attacks, our enemies are counting on political division and chaotic discourse. I encourage leaders at every level to leverage the best of our national security resources, unite and then prove them wrong.

Francis X. Taylor, a senior advisor at the security consulting firm Cambridge Global Advisors in Washington, is the former under secretary for intelligence and analysis at the Department of Homeland Security. He also served as the former head of diplomatic security with the State Department and is a retired U.S. Air Force brigadier general.