Commentary

Commentary: 5G risk is about more than simply securing competitive advantage

This op-ed originally appeared in The Hill on May 17, 2019.

By: Nate Snyder

The dawning of 5G capabilities will revolutionize our telecommunications and online networks. Data transport speeds will increase to 10 times faster than what they are with 4G. As countries across the globe discover and develop new 5G innovations, so too will terrorist organizations, private actors, and lone offenders. If there is a new technology breakthrough with the public at large, it will no doubt be leveraged by bad actors who will develop and discover their own insidious innovations and exploitations.

While working on counterterrorism efforts at the Department of Homeland Security during the Obama administration, I became familiar with how private actors and terrorist organizations exploit any vulnerabilities they can, especially when it comes to online networks and using the internet. These bad actors exploit network vulnerabilities to target and disrupt critical infrastructure, and access and exploit information and people.

It is no secret that the Chinese government has built in capabilities to control the online access of its own citizens. It is also widely known that Huawei is essentially state controlled and influenced. Reports note the company is 99 percent answerable to the Chinese government. Various backdoors, control measures, and surveillance applications have been built directly into the “Great Firewall” of Chinese online infrastructure.

Many of these surreptitious access points and controls are coded into core software and engineered into hardware. While at the Department of Homeland Security, I met with a senior Chinese counterterrorism delegation. I asked them how they address online radicalization to violence. Without hesitation, they replied, “We turn the internet off.” If the Chinese government uses these vulnerabilities to its advantage, you can guarantee that terrorist organizations will also seek to exploit them.

That explains why Prime Minister Theresa May announcing that the United Kingdom will allow Huawei to build noncore 5G functions is a significant problem. Not only is it a British security risk, but it also affects American and allied security. Allowing Huawei onto our collective 5G networks would be like inviting inside a Trojan horse that can be exploited by the Chinese government and other bad actors. The British government has cited compromising vulnerabilities in the Huawei supply chain. Several years ago Vodafone discovered security flaws in Huawei software that, while not fatal, continue to compromise the reputation of the company.

Because of these software and hardware vulnerabilities, likely created with purpose, Huawei and the Chinese 5G supply chain cannot be trusted. The supply chain security is beyond suspicious, and some American allies have already banned the use of Huawei 5G technology. Since the Huawei and Chinese 5G supply chain has more holes than Swiss cheese, it is fair to expect not if but when bad actors will exploit these vulnerabilities.

Some of the greatest deterrents we have against terrorists using online networks and the internet are awareness and intelligence. With Huawei potentially holding a monopoly on the flow and curation of 5G information across the globe, who knows if it will allow adequate access to investigate terrorist threats, emerging trends, threat vectors, and critical data. Huawei will essentially become an all knowing information provider and could handicap the United States and allied intelligence communities. Imagine the embarrassment of relying on Huawei for intelligence to investigate domestic terrorist threats in our own backyard, let alone the potential international ramifications. Even if access is given, the information could be suspicious. Needless to say, bad actors will exploit these blind spots.

The United States should lead the fight for shared principles and ensure competition and interoperability among technology vendors. The Trump administration should focus on building a coalition of our closest allies instead of ridiculing them. This key coalition should push for mandating interoperability among technology providers, ensuring that one company does not become the sole provider for unimagined future technologies like 6G, and tackling risks through diversification and threat dispersion.

The coalition should also demand that Huawei provide the interoperable technology to strengthen noncore technology. Without diversity of secure technology in the 5G ecosystem, the United States leaves itself open to exploitation. Should these demands not be met, the coalition will need to develop new information sharing agreements to mitigate the simple fact that Huawei cannot be a trusted reliable information provider. The United States, along with our closest allies, should lead in the race to develop forward looking and competitive 5G infrastructure technology and policy, or risk falling prey to bad actors. If we are able to get our act together, we still have the opportunity to positively impact 5G development, but we must act now before it is too late. Our national security depends on it.

Nate Snyder is a senior advisor with Cambridge Global Advisors. He was a senior counterterrorism official with the Department of Homeland Security and the Countering Violent Extremism Task Force under President Obama.

Commentary: 5G Is The Essential National Security Imperative Of Our Time

By: Christopher Burnham

The hype around 5G is real—it will change how we communicate, travel, fight wars, drive (or not drive) cars, and educate our children. It will also change how doctors operate and treat and heal the sick. It is the most important modernization of our infrastructure that we can do until quantum computing is perfected. It is also the single most important national security imperative for the US for the next ten years.

In the race to 5G, it’s clear that the Chinese have an advantage because their government can tell companies “give back the spectrum we licensed to you”, and then reallocate it to where it can be the most effective in winning the 5G race. Spectrum in the US (think radio waves), has been given away or sold for pennies by the Federal Communications Commission (FCC) for decades. President Lyndon Johnson made $20 million getting the FCC to sell him radio and T.V. spectrum for two Texas stations for pennies back in the 1940s. That certainly has ended in recent years—just in the last four years the FCC has auctioned off two spectrum ranges for more than $50 billion.

Over the past forty years, spectrum for mobile phones, satellite communications and T.V., GPS services, and hundreds of other applications has been awarded by the FCC to jump-start the communications revolution we now take for granted. To fully implement 5G across all communities in the U.S., the FCC must now figure out how to allocate spectrum from the very lowest frequency to incredibly high millimeter wave frequency. The backbone will be (for lack of a better way to describe it) in the middle frequency—or the part that was given away for free to government satellite companies back in the 1960s, that then became the struggling satellite companies of today. This is known as “C-band spectrum”, and you will see the numbers 3.7 to 4.2 gigahertz associated with that band. C-band is what enables you to watch the championship basketball game on cable TV as it is the backhaul for ESPN and other networks.

However, C-band is not the only spectrum needed to fully implement 5G. Lower and higher frequencies are also needed. The trouble is, it’s a trade-off. Low frequency is great at going very long distances and can penetrate buildings, forests, even mountains and oceans if ultra-low frequency. That is how our submarines communicate back to the U.S. from deep within the ocean. The trouble is, low frequency also means low bandwidth. High frequency has enormous bandwidth. But it can only go very short distances, and rain, snow, trees, let alone buildings, can disrupt or block it. That is why at that end of the proposed 5G spectrum, you will need an antenna every couple 100 yards or so versus current cell phone towers today, which are miles apart.

What the FCC must now do is figure out how to get back all this spectrum and auction it to those cellular companies building the 5G backbone. Other countries have recently held highly successful auctions for this spectrum range. Some of the mid-band spectrum is also controlled by the U.S. military—and is essential for radar. Unused portions of this will need to be reallocated to the FCC for auctioning to 5G companies.

This piece originally appeared in Forbes on April 12, 2019.

We’ve Spent Billions on Cybersecurity: How Are We Doing?

This commentary originally appeared in Homeland Security Today, January 30, 2019.

Protecting America’s critical infrastructure — essential to our everyday life — from cyber attacks remains one of our nation’s most important missions. How are we doing?

Not so good, by some accounts. In 2017, a major MIT report concluded that after spending billions of dollars over the past few decades, our infrastructure is somehow less secure than we were 30 years ago. Its authors conclude that “the vulnerability of the systems that power our nation is a national disgrace.”

And this is not merely a theoretical risk. Last April, the U.S. Department of Homeland Security (DHS)  and the Federal Bureau of Investigation issued an alert regarding the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. In May, the U.S. Department of Justice announced they had stopped a network of more than half a million worldwide web-connected infected devices or “botnets.” And the Office of the Director of National Intelligence has concluded that they “expect that Russia will conduct bolder and more disruptive cyber operations” against our critical infrastructure in 2019.

Despite the recent re-opening of the federal government, Washington will likely remain gridlocked with no consensus plan to protect our critical infrastructure. Without the federal government acting, we will likely end up with a patchwork of potentially confusing and conflicting state and local regulations, which would create a nightmare landscape for business.

Progress, however, is possible and achievable. The same MIT report that paints such a grim picture also concludes that “the pathway to higher ground has been charted.” In addition, a new law was passed in October that formally creates a new federal agency at DHS, the Cybersecurity and Infrastructure Security Agency (CISA), which will become the federal government’s focal point to more strategically catalogue national critical functions and better advise on risk. And while properly organizing and planning is necessary to taking action, so is process. Fortunately, embedded in CISA is a cross-sector, collaborative approach to improving cybersecurity. DHS calls it providing for a collective defense.

So, where do we go from here? Such a process could lead to more widespread adoption of voluntary best practice standards, like the CIS Controls, the set of internationally recognized prioritized actions that form the foundation of basic cyber hygiene — cyber network defense that is demonstrated to prevent 80-90 percent of all known pervasive and dangerous cyber attacks. The Controls, compiled by cybersecurity experts around the world, help implement the goals of the NIST Cybersecurity Framework by providing a blueprint for network operators to improve cybersecurity by identifying specific actions to be done in priority order.

In the oil and natural gas industry – obviously a key sector – most companies already adhere to the NIST framework, and other voluntary standards. For example, a majority of the natural gas pipeline companies that operate about 200,000 miles of pipelines have committed to implementing the updated Transportation and Security Administration (TSA) voluntary pipeline cybersecurity guidelines, further demonstrating the success of public-private collaboration. But not all sectors possess the same resources. Greater adoption of the Controls would further boost critical infrastructure by increasing their ability to defend against common attacks.

There will be no single, silver bullet that magically protects our critical infrastructure from cyber harm. But the CIS Controls and other voluntary best practices are known pathways to stronger cybersecurity. We should redouble our efforts to implement them today.

Brian de Vallance, a former Assistant Secretary for Legislative Affairs at the U.S. Department of Homeland Security, is a senior fellow at the Center for Cyber and Homeland Security at the George Washington University.

Commentary: Energy Sector Cyber Threat Is Real; Greater Collaboration Is Part of the Answer

By: Christopher Burnham & Brian deVallance

This piece originally appeared in Homeland Security Today, October 9, 2018.

In June of 2017, when Wired magazine published a harrowing account of Russia’s hack of the Ukrainian electrical grid, it quickly generated broad discussion about the state of our nation’s cyber defense in the critical infrastructure (CI) sectors. But Washington is nearly 5,000 miles from Kiev, and Russia’s ability to take control of a Ukrainian power company through its IT helpdesk seemed even more remote.

Remote no longer. Dan Coats, the director of National Intelligence, recently testified before Congress that “the warning lights are blinking red again” and that “today the digital infrastructure that serves this country is literally under attack.” In March, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a joint alert of Russian cyber activity seeking to disrupt the energy and other CI sectors.

While much remains to be done, the U.S. is headed in the right direction on cyber. First, there is growing consensus about what constitutes basic cyber hygiene or cyber defense – for example, the Critical Security Controls from the nonprofit Center for Internet Security. In addition, following the release of the federal government’s National Security Strategy last December, the White House issued its new National Cyber Strategy in September.

Earlier this year the Department of Energy unveiled its new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), and the Senate has confirmed cyber-savvy Karen Evans as the office’s first assistant secretary. Just last week, DOE announced $28 million in technologies intended to improve the cybersecurity of power and energy infrastructure.

At the DHS Cyber Summit in July, Secretary Kirstjen Nielsen announced the creation of the National Risk Management Center (NRMC), DHS’s intended home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure. It is significant that DHS is highlighting the need to continue to build and strengthen partnerships as a part of fortifying American cybersecurity. As former DHS Deputy Secretary Jane Lute has noted, we have not yet decided, as a society, the precise role that government will play in protecting our national cyber resources. This is consistent with DHS’s enterprise approach of needing more than a single federal department to secure the homeland. Instead, we need the active partnership of all of us: state, local, tribal, and territorial (SLTT) governments; federal and SLTT law enforcement; nonprofit best-practice providers; the private sector; and the American public.

Jeanette Manfra, DHS’s assistant secretary for cyber, provides a cogent roadmap: We need to “create this collective defense model, where we all provide capabilities, authorities, and competencies to make cyberspace safer.”

For their part, the various CI sectors have been diligent in working to combat cybersecurity risk. Some CI sectors, like the natural gas industry, have been investing millions in new technologies to improve distributed control systems, cloud-based services, and data analytics. Additionally, sector-specific Information Sharing and Analysis Centers (ISACs) have allowed for improved information sharing between industry and the federal government. Top ISACs include the Multi-State ISAC, the Oil and Natural Gas ISAC, and the Financial Services ISAC, among other ISACs. Other positive industry actions include adopting voluntary best practices like the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; participating in cross-industry exercises like Grid-Ex, where CI sectors practice responding to cyber-attacks; and continually educating employees on the latest cyber risks and threats.

With the establishment of the NRMC, Secretary Nielsen has issued a challenge and an invitation: private industry and the various national security agencies need to work together to help make this cross-sector, public-private partnership model a successful approach to increasing cyber defense in critical infrastructure.

The individual partners are making progress. We must now work together to create a collective defense.

Commentary: DHS’ Big Data Integration Challenge

By Francis X. Taylor

This commentary originally appeared in The Cipher Brief, August 8, 2018.

Department of Homeland Security Secretary Kirstjen Nielsen recently traveled from Washington D.C. to New York with her senior team in tow, to announce the creation of the National Risk Management Center.  It is intended to be DHS’ tip of the spear when it comes to information sharing between the public and private sectors about emerging and sometimes urgent, cyber security threats. 

In an opinion piece posted on CNBC, Nielsen said that the U.S. is not “connecting the dots” quickly enough and said “Between government and the private sector, we have the data needed to disrupt, prevent and mitigate cyberattacks.  But we aren’t sharing fast enough or collaborating deeply enough to keep cyberattacks from spreading or to prevent them in the first place.”

As DHS takes on a new collective defense strategy by putting a premium on public-private information sharing efforts, The Cipher Brief wanted to know a little more about how DHS itself stores and accesses the vast amounts of data it holds. 

Francis Taylor served as DHS’ Under Secretary for Intelligence and Analysis during President Obama’s second term.  One of his priorities was to figure out how DHS could better use data technology tools to increase its operational effectiveness.  It was an issue that he also had to tackle during his time in the private sector, where he worked as Vice President and Chief Security Officer for General Electric. 

Taylor shared his insights with The Cipher Brief, offering a better understanding of the current efforts within DHS to strengthen its capacities, especially at the enterprise level.  We also wanted him to explain what makes integration such a vexing task.

The Cipher Brief: Can you give us some strategic context around data analysis and integration?

Taylor:  Data analysis and integration is critical to how we protect our country and our border. After 9/11 the discussion was about “connecting the dots.” Today there are trillions of dots of information that are available to help us understand what individual, organization or nation- state represent a threat to our people, our country and way of life. Much of that information comes from around the world and allows us to push our analysis beyond our border to regions across the globe. Not only must DHS integrate the data that it collects in the performance of its mission, it must integrate that data with other data from open source, our international partners, and the intelligence and law enforcement communities to have a full picture of the threats we face.

The Cipher Brief:What kinds of data does DHS collect and store?

Taylor: DHS is the third largest department of our government.  DHS components comprise the largest number of federal law enforcement officers in our government and the department conducts its law enforcement mission worldwide.  It interacts daily (and collects information on) U.S. citizens, foreign nationals and U.S. and foreign businesses applying for benefits from the U.S. Government.  DHS also collects data in conjunction with its law enforcement and security missions enforcing U.S. immigration and trade security regimes, immigration violations, citizenship, refugee and asylum applications, and trusted traveler programs.  DHS stores all of this data in more than 900 unconnected databases and the information is kept in silos that are then accessed by the components to perform daily missions. Many of these databases were created long before DHS was established in 2003 and contain old technology that make it difficult to update and integrate.

The Cipher Brief:  How does the issue of data overload negatively impact DHS’ mission to protect the country?

Taylor: I believe that DHS has all the information it needs to proactively defend our country, but the information that is collected is not available to the operators for data analytics that would improve their understanding of threats to our homeland.  The amount of valuable intelligence sitting in DHS data systems is staggering and would be invaluable to DHS and the rest of the U.S. government if it was better analyzed and shared with the appropriate stakeholders.

The Cipher Brief:What is the DHS Information Sharing Enterprise and how does the National Vetting Center (NVC) support the overall mission?

Taylor: The DHS Information sharing enterprise is embodied in the DHS Information Sharing and Safeguarding Governance Board (ISSGB) which is chaired by the DHS Chief Information Officer and the DHS Under Secretary for Intelligence and Analysis. All of the components of the Department are represented on the ISSGB. Unfortunately though, the ISSGB has been largely ineffective in moving the needle within the Department to improve information sharing across the enterprise.  DHS component elements generally do not see value in integrating information across the enterprise.  And there is little incentive to change this paradigm, absent dedicated funding for the enterprise and a clear prioritization of this integration from the Department’s leadership.

The NSC established the National Vetting Center (NVC) in DHS to serve as a focal point for all USG vetting to support travel and border security. It is a logical enhancement to CBP’s National Targeting Center (NTC) that has developed and deployed significant capability in data analytics and integration that improves our understanding of threats to our travel and trade activities as well as our border. NVC envisions building on the NTC foundation to develop even more sophisticated tools and processes to vet individuals applying for benefits within our country.  As the Obama administration was transitioning, former DHS Secretary Jeh Johnson asked all senior staff what we would have done differently, based on what we had learned during our time at the helm.  My answer was that we should have moved ALL vetting for benefits administered by the Department to the National Targeting Center as a government-wide shared service.  My rationale was simple, the Secretary of DHS is the one official in our government that has the final say over who is allowed into our country, but the Secretary does not own the process to ensure that the vetting is effective and continues to improve.  I believe the NVC begins that process and will significantly improve how we make decisions across our government on applications for benefits.

The Cipher Brief: What is the state of DHS data integration and information sharing (i.e. HSIN)?

Taylor: The DHS Data Framework is a joint endeavor by the DHS CIO and Under Secretary for Intelligence and Analysis to build a data lake with the top 20 databases essential to the Department’s vetting and assessment mission. I understand the momentum of the data framework has slowed significantly. I also understand that CBP is driving the data framework as the next level of improvement in information sharing but that DHS headquarters support for initiative is lacking.

The Homeland Security Information Network (HSIN) continues to be the most effective system for DHS to communicate with its state, local, tribal, territorial and private sector partners. But it has real shortcomings.  It needs continued investment to make it more a data sharing platform and not just a communication platform.  HSIN does not allow for data searching and online queries.  This needs to change if the system is to continue to be valuable to DHS stakeholders at every level.

The Cipher Brief:Why is creating DHS-wide searchable data stores so difficult for the Department? Would DHS benefit from a data integration acquisition and standards czar?

Taylor: Most law enforcement organizations are organized to pursue investigating and interdicting wrong doers.  It is the most important aspect of the mission, and I share focus on these priorities.  However, the absence of an integrated data system denies DHS components and others the ability to fully exploitat the information stored in Department systems.  This is inefficient. The lack of an integration function at the headquarters-level makes fixing this shortcoming harder.  The original vision for the Department was to have little centralized-control of operations and to keep operational power within the components.  Each DHS component approaches its missions from its own narrow organizational mission perspective. The components have built processes and procedures from their individual operational perspectives and not from the perspective of how these procedures can be more effectively integrated to meet the collective mission of the Department.  Add to this the fact that budgeting and oversight of the Department is controlled by more than 80 Congressional oversight committees and you can imagine the dysfunction and disincentive to collaborate.

The Cipher Brief: Finally, how do blockchain, advanced encryption or other types of algorithms increase the likelihood of safe data sharing across the DHS Information Sharing Enterprise?

Taylor:  All of the new information analysis technologies will greatly improve information sharing in the Department. Some of this technology is already in use in some of the components; yet it is not systematic and does not optimize the use of these technologies.

Commentary: National Vetting Center a Needed, Not Controversial, Security Asset

By Francis X. Taylor

This commentary originally appeared in Homeland Security Today, June 11, 2018.

For decades the U.S. has screened and vetted those who wish to enter the United States or apply to come to U.S. as visitors, immigrants or refugees. While technology and threats have changed, what has remained the same is the need for our officials on the front lines to have the most up-to- date and accurate information to decide who should or should not be allowed to enter our country.

To that end, earlier this year the National Vetting Center (NVC) was created to strengthen, simplify, and streamline the complex, ad hoc, and sometimes inefficient ways that intelligence is used to inform operational decisions related to screening and vetting. Despite the hype, I believe the NVC should not be viewed as part of the heated national debate on extreme vetting. Instead, the NVC should be viewed as the continuing improvement of effective security processes to improve the security of our travel, immigration and trade infrastructure. Specifically, I believe there are three added benefits to the government and to America’s overall national security posture with the launch of the NVC.

First, the practices and procedures that the U.S. government uses for screening and vetting must be dynamic and continually evolve in terms of throughput, redress, privacy, and accuracy. The NVC is a positive step in that direction. Following the 9/11 terrorist attacks, the U.S. created a system to better protect the homeland against potential terrorists. Lessons learned after each attempted terrorist plot since 9/11 caused the government to incrementally mature the system but never fully institutionalize these best practices in one organization.

While U.S. intelligence, law enforcement and security professionals continue to scour the globe for transnational criminals, spies, drug smugglers and weapons proliferators trying to enter the country illegally or with bad intent, the NVC can serve as a single place to analyze a broader set of applicable government information – with the right privacy regime to ensure that the right analysts have access to the proper information at the right time.

Second, I believe the NVC is a smarter use of the government’s existing knowledge, expertise, and money, as well as a realization of the post-9/11 mission to connect the dots of those transiting to the homeland for nefarious reasons.

Threats are not the only thing that have changed since the turn of the century. Technology has clearly evolved at a near exponential pace. Through the NVC, federal agencies will have the ability to use the NVC’s tools and analytic programs in a consolidated, efficient, and streamlined fashion with greater accuracy and speed than ever before. This approach would allow for secure information sharing at a volume and speed that was not possible just five years ago.

Through the creation of the NVC, the U.S. government will have an agile center that can evolve as the threats to the homeland evolve. The threat picture is ever-evolving and the government needs to move quicker to counter the tools that our adversaries are using. Today’s technology will allow agencies to maintain control of their data and permit it to be accessed securely and only by those with the right and proper authorities for the purpose of a specific, legally authorized screening mission.

Finally, the NCV will allow for better coordination and collaboration. Right now, agencies are screening and vetting people properly and with much success – the system is not broken. But we can do it better. And we can expand the work beyond the counterterrorism-only focus of the past 17 years. The NVC will allow for a “task-force” approach to these activities rather than the ad hoc mechanisms that currently exist. Co-locating vetting analysts from different agencies will allow these trained professionals to collaborate, share information where appropriate and access the expertise that resides within each agency to make better, more timely and more informed decisions – including redress decisions. And this scalable model will provide agencies the flexibility to meet the evolving threats we no doubt will face in the coming years as terrorists, criminals and others change their tactics in an attempt to evade the latest vetting protocols.

As the former Under Secretary for Intelligence and Analysis at Department of Homeland Security (DHS), I helped to tackle these same issues while serving in the last administration. I commend DHS for picking up where we left off. And it is my hope that they can build on our path to strengthen this capability with the right outcomes from the start.

It is important that the NVC is a government asset and does not belong to one department or component. It is also important that the NVC is a truly joint facility that allows assignees from across the interagency to collaborate, co-train, and fuse intelligence and experience within the art of screening and vetting. I wish the first director of the NVC my very best: This problem is not insignificant and yet the solution is ever-critical to the protection of our homeland.

Commentary: Firewalling Democracy: Federal Inaction on a National Security Priority

This piece originally appeared in The Hill, January 31, 2018.

January marked the first anniversary of the U.S. Department of Homeland Security’s designation of elections as “critical infrastructure,” placing them into the category of other physical or virtual sectors — such as food, water and energy — considered so crucial that their protection is necessary to our national security. Naming “elections” as a critical infrastructure sub-sector was a key action taken by then-Secretary Jeh Johnson following an Intelligence Community report about ways Russia sought to meddle in the 2016 elections via a variety of hacking tactics aimed at election offices, voter databases and our larger digital democracy.

At the time, I was serving as DHS Under Secretary for Intelligence and Analysis — and I was encouraged greatly by the critical infrastructure move. Voting administration is a state and local responsibility, but these entities often are overburdened, under-resourced and not exactly versed in Kremlin-based cyber crimes. The announcement reflected a new reality that election security is national security — and it provided enhanced capabilities for the feds to coordinate on election cyber threats.

However, since that optimistic moment 13 months ago, there has been unwillingness at the highest levels of the federal government to act.

On Capitol Hill, it’s taken a year for the Secure Elections Act (S. 2261), to be introduced. Although a positive first step toward ensuring that states have grants and other support to protect their voting systems, the bill’s future is unclear beyond the six bipartisan co-sponsors backing it.

At DHS, scores of mid-level staff — especially within the National Protection and Programs directorate — are working to answer state and local election officials requesting cyber assistance, while at the same time gathering what limited resources exist to prepare for 2018.  But these folks are operating minus top cover from the White House or other cabinet-level leaders, many of whom continue to eschew that Russia is a concern altogether.

As I consider possible reasons for this federal lack of leadership, it appears the fear of attaching oneself to the politics of the past election — rather than tackling the real challenges of the upcoming one — emerges as the most plausible explanation.

For one, it’s not for lack of threat. The vulnerabilities within our democratic infrastructure are deepening every day. In June, DHS announced that voting systems and registration databases in at least 21 states had been the aim of Russian hacking attempts in 2016. Last fall, across the pond, the Brits laid claim that the same Russia-based Twitter accounts that targeted the 2016 U.S. election also employed divisive rhetoric to influence the Brexit referendum. Even as recently as November, news emerged that Russian bots flooded the Federal Communications Commission’s public comment systems — an important democratic forum for Americans to voice opinions — during the net-neutrality debate, generating millions of fake comments.

Federal procrastination is also seemingly not tied to lack of pressure. It is true that DHS’s initial offers for cyber assistance were not embraced by state and locals in past elections. But since last year, there’s been a backlog of requests pouring in. Meanwhile, local election directors such as Cook County, Illinois’ Noah Praetz, have taken it upon themselves to develop election cybersecurity plans, despite no federal backing. Even the hacker community — traditionally allergic to Washington — has been raising the alarm on election security. For example, DEFCON, the world’s largest hacker conference, held an educational voting machine hacking demonstration last summer to show how susceptible election equipment is to cyber attack.

Finally, I surmise absent response is not a factor of the arduous process that is federal policymaking. Historically, when a national security threat to America is imminent, I’ve seen leaders act swiftly, honorably and without regard for politics. In this case, we have waning time to act: The 2018 election season is weeks away with primaries starting in March in Illinois and Texas. And when it comes to Russia’s goal of undermining democracy, they’re not likely to take this cycle off. Indeed, they will most likely apply the lessons of 2016 with a more calculated approach.

After 47 years in working in national security — much of that spent in the military and federal government — I respect the evolving threats facing democracy today. Yet the urgent work at the state and local level to prepare for future elections will be insufficient if it is not fully matched and funded by the federal government.

With new leaders, including DHS Secretary Kirstjen Nielsen, assuming the helm, this is a moment to choose national defense over politics. A window, albeit closing, exists to support state and locals — along with mid-level civil servants — focused on the problem.

In the vital cause to reassure Americans that their democracy can withstand outside attacks, our enemies are counting on political division and chaotic discourse. I encourage leaders at every level to leverage the best of our national security resources, unite and then prove them wrong.

Francis X. Taylor, a senior advisor at the security consulting firm Cambridge Global Advisors in Washington, is the former under secretary for intelligence and analysis at the Department of Homeland Security. He also served as the former head of diplomatic security with the State Department and is a retired U.S. Air Force brigadier general.

Commentary: Pensions should avoid politics and invest for the benefit of our workers

This OpEd authored by Cambridge Global Chairman, Christopher Burnham, originally ran in the The Hill, December 10, 2017.

Why do public fiduciaries think they should impose their political agenda on other people’s retirement benefits? Is not the standard of care to manage public retirement funds with the highest return at the lowest reasonable risk? With more than 50 percent of all state pension funds significantly underfunded and at least five states, including my native Connecticut, facing immanent bankruptcy due to grossly unfunded state employee and teacher pension systems, why would both beneficiaries and taxpayers, who will be forced to makeup those liabilities, want to politicize the management of the money? As I will also be a beneficiary in a few years, please manage the money without a political agenda.

When I was elected state treasurer of Connecticut in 1994, I inherited the worst performing state pension system in America for the previous 10 years. Within the first six months we fired the vast majority of money managers and indexed 75 percent of the portfolio. Yet, I was attacked for holding tobacco stocks in the portfolio, by virtue of the fact that we owned an S&P 500 stock index fund. I refused to play politics with the pension, particularly after 10 years of politics had relegated pension fund performance to the gutter. Instead, we focused on the highest return at a reasonable risk, and performance skyrocketed from dead last to the top 25 percent in the country, overnight.

Now a new era of activists, without any regard to fiduciary responsibility, is injecting politics into pension systems, yet again, by trying to make states, counties and municipalities across the country divest of shares in energy companies. Why would we seek to undermine the integrity of a secure retirement for our teachers and government employees? If they, individually, want to invest in activist funds, they should force states to move to a system similar to the U.S. government employee retirement system, or to a full or partial defined contribution system, such as Rhode Island recently did. Then retirees can make decisions for themselves.

However, to force a political agenda to be shoved into the investment of their retirement accounts is wrong, and a clear violation of fiduciary responsibility. Moreover, if you divest from energy investments, where do you stop? If you remove energy companies, why not remove fast food companies? How about booze, gambling and producers of sugary drinks? As a combat veteran, I am very grateful for the strength of our American defense industry and believe we should invest more in defense companies. Would everyone else agree with me?

Additionally, pressure is mounting on banks. Recently, U.S. Bank, the leading provider of financial products and services to the federal government for over 30 years, has ceded to these activist groups and announced radical changes to corporate policies, including ceasing its investments in energy infrastructure. Its management announced that U.S. Bank plans to stop providing construction for energy pipelines, although it has not announced that that it will no longer service the major railroad carrier, which carry all of the coal Minnesota uses to produce over 30 percent of their electric energy needs. Fiduciary responsibility also means responsibility to shareholders.

We must not allow individual political and ideological agendas to break the special trust and confidence our government and teacher retirees should have in those who are elected or appointed to be the fiduciaries of retirement systems across our country. Unless mandated by law, such as owning shares in companies doing business in North Korea, there is no room for ideological agendas in the management of other people’s money, particularly our teachers and government employees.

Christopher B. Burnham is the former state treasurer of Connecticut, where he was sole fiduciary of the $16 billion Connecticut pension system, and former undersecretary general of the United Nations, where he was sole fiduciary of the $42 billion United Nations pension system. He is now chairman of consulting firm Cambridge Global Advisors.

COMMENTARY: DHS office leading the way on federal cyber innovation

This article originally appeared in Fifth Domain, September 26, 2017.

By: Chris Cummiskey

It isn’t often that the words innovation and government find their way into the same sentence. When they do, it is often to decry the lack of innovation in government practices. Silicon Valley and other corporate leaders have long lamented that the federal government just doesn’t seem to understand what it takes to bring innovation to government programs.

One office in the federal government is having an outsized, positive impact on bringing private sector innovation to government cybersecurity problem solving. The Cybersecurity Division (CSD) of the Science & Technology Directorate at the Department of Homeland Security has figured out how to crack the code in swiftly delivering cutting edge cyber technologies to the operators in the field. Some of these programs include: cybersecurity for law enforcement, identity management, mobile security and network system security.

The mission of CSD is to develop and deliver new technologies and to defend and secure existing and future systems and networks. With the ongoing assault on federal networks from nation-states and criminal syndicates, the mission of CSD is more important than ever.

CSD has figured out how to build a successful, actionable strategy that produces real results for DHS components. Their paradigm for delivering innovative cyber solutions includes key areas such as a streamlined process for R&D execution and technology transition, international engagement and the Silicon Valley Innovation Program (SVIP).

R&D Execution and Technology Transition

One of the greatest impediments to taking innovative ideas and putting them into action is the federal acquisition process. As a former chief acquisition officer at DHS, I certainly understand why there needs to be federal acquisition regulations. The challenge is these regulations can be used to stifle the government’s ability to drive innovation. I am encouraged by the efforts to overcome these obstacles by federal acquisition executives like DHS Chief Procurement Officer Soraya Correa – who is leading the fight to overcome these hurdles.

Under the leadership of Dr. Doug Maughan, CSD has created a process with the help of procurement executives that swiftly establishes cyber capabilities and requirements with input from the actual users. They have designed a program that accelerates the acquisition process to seed companies to work on discreet cyber problems. The CSD R&D Execution Model has been utilized since 2004 to successfully transition over 40 cyber products with the help of private sector companies. The model sets up a continuous process that starts with workshops and a pre-solicitation dialogue and ends with concrete technologies and products that can be utilized by the operators in the various DHS components. To date the program has generated cyber technologies in forensics, mobile device security, malware analysis and hardware enabled zero-day protections and many others.

International Engagement

Maughan often states that cybersecurity is a global sport. As such, many of the challenges that face the United States are often encountered first by other countries. Maughan and his team have worked diligently to leverage international funding for R&D and investment. CSD is regularly featured at global cyber gatherings and conferences on subjects ranging from international cyber standard setting to sharing R&D requirements for the global entrepreneur and innovation communities.

Silicon Valley Innovation Project (SVIP)

It seems like the federal government has been trying to get a foothold in Silicon Valley for decades. Every president and many of their cabinet secretaries in recent memory have professed a desire to harness the power of innovation that emanates from this West Coast enclave. One of the knocks on the federal government is that it just doesn’t move fast enough to keep pace with the innovation community. Maughan and the folks at CSD recognize these historic impediments and have moved deftly to build a Silicon Valley Innovation Project (SVIP) that is delivering real results. To help solve the hardest cyber problems facing DHS components like the Coast Guard, Customs and Border Protection, the United States Secret Service and the Transportation Safety Administration, SVIP is working with Silicon Valley leaders to educate, fund and test in key cyber areas. The program is currently focusing on K9 wearables, big data, financial cybersecurity technology, drones and identity. The SVIP has developed an agile funding model that awards up to $800,000 for a span of up to 24 months. While traditional procurement processes can take months, the SVIP engages in a rolling application process where companies are invited to pitch their cyber solutions with award decisions usually made the same day. The benefits of this approach include: speed to market, extensive partnering and mentoring opportunities for the companies and market validation.

Conclusion

Moving innovative cyber solutions from the private sector to the federal government will always be a challenge. The speed of innovation and technological advancement confounds federal budget and acquisition processes. What Maughan and CSD have proven is that with the right approach these systems can complement one another. This is a huge service to the men and women in homeland and cybersecurity that wake up every day to protect our country from an ever-increasing stream of threats.

Chris Cummiskey is a former acting under secretary/deputy under secretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

COMMENTARY: A Political Surge is What's Needed in Afghanistan

By: Doug Lute

As the Trump Administration considers options to break the stalemate in the 15-year war in Afghanistan, it is important to look beyond military approaches. 

The roots of Afghanistan's problems require a political surge in support of President Ashraf Ghani’s government.

For too long American policy has fixated on the security situation and the military means required to address it. The military effort has been a shiny object that has captured our attention while the political roots of the war and potential political approaches to resolving it have been discounted, under-resourced, or even ignored.  Military tools alone can sustain the current stalemate, but not reverse it.  Adding a few thousand or even many more troops will not substantially change the situation. Ending the war primarily through military means is a mirage.The security stalemate is a symptom of three inter-related political stalemates: in Kabul within the Afghan government, regionally with Afghanistan's neighbors, and ultimately between the Afghan government and the Afghan Taliban. First, weak Afghan governance, zero-sum politics and endemic corruption fuel the Taliban insurgency. The compromise that formed the National Unity Government in the wake of the disputed 2014 presidential election resolved the immediate political crisis, but the parties have been unable to move beyond narrow partisan interests.

Now key political milestones are on the horizon: parliamentary elections in 2018; presidential elections in 2019; and in 2020 the next installment of international funding for Afghan security forces, the civilian government and development support. Success at these milestones depends mainly on the Afghan government’s moving beyond stalemate, not on how many U.S. troops are on the ground.

Second, Afghanistan's relations with key neighbors are also stalemated, especially with Pakistan where Taliban leaders enjoy a safe haven, but also with Russia and Iran. For its part, U.S. attempts at regional approaches to stabilizing Afghanistan have not been effective due to competing, higher priority interests. In Pakistan, U.S. core interests include suppressing terrorist groups with trans-national reach including the remnants of core al Qaeda, internal stability in a country with the world's fastest growing nuclear arsenal, and the stability of the often tense Pakistan-India relations. 

U.S. interests with Russia focus on Ukraine, challenges to NATO, the crisis in Syria, and interference in democratic processes in the U.S. and other democracies. Our priority interests with Iran are her destabilizing activities across the Middle East including support for the Assad government in Syria, the implementation of the nuclear agreement, and the potential for military miscalculation in the Gulf. With China, too, though our interests in Afghanistan largely converge, we have interests more important than stabilizing Afghanistan. The net effect is that we have tended to discount regional approaches and focused on stabilizing Afghanistan from within, which cannot possibly work.

Finally, despite years of trying we have yet to gain traction on an Afghan-led political approach to the Taliban. The Taliban are not going away and will not be defeated by military means alone. The war in Afghanistan will end with a political settlement, not a military victory.  Some argue that recent Taliban battlefield gains diminish their interest in pursuing talks with the Afghan government and before talks we must dominate militarily. The security situation is actually stalemated with both sides suffering heavy attrition. We should consider anew with our Afghan partner what it would take to move towards a political settlement, using both military means and political compromise to improve chances of success.

In Afghanistan, the Trump Administration — like its two predecessors — encounters a case where political approaches will prove decisive in the long run. As in all conflicts, military tools are only a means to a political end. We should focus on what matters most: breaking the three political stalemates. What we need is a political surge. 

Douglas Lute is a former NSC official in the Bush and Obama Administrations responsible for coordinating US policy in Afghanistan and former U.S. Ambassador to NATO (2013-17). He is also a Senior Fellow with Harvard Kennedy School’s Belfer Center for Science and International Affairs.