The Homeland Security Department has the power to do a lot more than just issue words of warning.
When I read about the latest cyber breach affecting several domestic federal agencies, I was once again perturbed by the actions—and lack thereof—that the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency took in response. They were acting with the best of intentions, but I believe there’s more they can do under such circumstances.
CISA officials believe that they are limited to warning civilian agencies about a cyberattack, telling them to make responding to it a priority, and offering technical expertise if asked. What they don’t do is what U.S. Cyber Command would do if this were a breach of a national security system: Deploy one or more of its crack cyber mission teams, staffed by military, civilian and contractor cyber experts, to attack the problem (and hopefully the attacker), under CYBERCOM Commander Gen. Paul Nakasone’s “Defend Forward” doctrine.
CISA could develop the ability to do the same. In my view, it has had the statutory authority to do so since 2013. It could have established a cybersecurity service with hundreds of employees—all working for CISA and as a result, much better paid using the 2013 statutory authority. These could have been dispatched to domestic agencies that are under attack even before they knew an attack had occurred. Most if not all of those agencies would welcome the help.
That’s what the Defense Department does, under similar authority granted to it by Congress in 2014. But instead of waiting almost 10 years to exercise that authority, DOD created a Cybersecurity Excepted Service two years later and has been using it ever since to hire civilian cyber experts to support CYBERCOM’s military cyber mission teams today.
If the recent cybersecurity breach would have happened in the national security space, we might not have even heard about it, but whether we had or not, you can rest assured the CMTs would be on top of it.
Why can’t CISA do the same? The excepted service authority Congress gave the agency as part of the fiscal 2014 National Defense Authorization Act in late 2013 envisioned just this sort of employment and deployment of personnel as a way to combat domestic cyberattacks, from cyberterrorism to plain old criminal activity. I should know. I led a team of senior subject matter experts who recommended that DHS exercise such authority.
But that’s not what DHS eventually established. In its long-awaited Cyber Talent Management System, DHS chose to take a far narrower view, employing its excepted service authority primarily to protect internal DHS systems. And the agency has been slow to implement even that more modest approach.
Here’s the good news, at least going forward: CISA Director Jen Easterly and her team can change all this. They’ll need to be a bit risk-averse, because DHS lawyers may stand in the way. But with all due respect to them, this is a policy call.
Easterly has the advantage of coming from the National Security Agency, where they’ve been exercising similar excepted service authority for years, using the Defense Civilian Intelligence Personnel System that CYBERCOM easily imported when it came to hiring and deploying their mission teams.
Where is the Office of Personnel Management on all this? It’s been sitting on a multi-agency special salary rate package for federal domestic cyber experts for months, waiting on debt ceiling relief and resolution of the federal government’s fiscal 2024 budget. Meanwhile, NSA and CYBERCOM are busy raising their civilian cyber warrior salaries to respond to a hypercompetitive labor market. All they need is permission from a DOD undersecretary to make those adjustments. That’s the way it’s supposed to work.
Actions matter, and one place to start would be for CISA to say that it will staff and deploy its own cyber mission teams as soon as possible—not just in emergencies, but on a long-term, sustainable basis, using the authority Congress gave it 10 years ago. We don’t have the luxury of waiting any longer.
Ronald Sanders is the former staff director for the Florida Center for Cybersecurity at the University of South Florida, a fellow of the National Academy of Public Administration, and a member of the Association for Public Administration’s National Council. He has also served as chair of the Federal Salary Council, Associate Director of OPM, IRS Chief Human Resources Officer, and Associate Director of National Intelligence for Human Capital.