The US federal cybersecurity bureaucracy: A guide

A high-level look at the national offices and organizations involved in protecting the US from cyber threats.

Unitd States cybersecurity   >   U.S. flag with a digital network of locks instead of stars
Thinkstock

The federal government has awakened to the urgency of cybersecurity and responded with new agencies, appointments, and appropriations.  It’s an unsurprising flowering of bureaucracy, but it can make for a big picture that is hard to see.  Here is a high-level look at these offices and organizations and the roles they play.

The NSA

The National Security Agency is the grandaddy of cybersecurity organizations.  President Harry Truman created it in 1952 as an ultra-secret organization.  It grew out of military intelligence capability forged during WWII to handle signals intelligence (SIGINT) and information security (INFOSEC).  These are understood today as the twin goals of cyberspying and cybersecurity.  

As the world careened between global conflicts, the NSA enjoyed a period of rubber stamp budgets and anonymity.  For a long time, the NSA was jokingly referred to as “No Such Agency”, so shadowy that it was not officially revealed until 1975.

That has changed as over half a century of controversy brought abundant attention to the organization.  The NSA was explicitly intended to monitor only foreign communications (as spying on US citizens is a violation of the Constitution), but during the Vietnam war it was revealed in the Church Hearings that the NSA had been monitoring antiwar activists—this included some prominent citizens, including Mohammed Ali and Martin Luther King, Jr.

This overstep led to the Foreign Intelligence Surveillance Act (FISA) of 1978, but the NSA wasn’t done with these kinds of troubles.

The NSA, in its role of protecting communications ran into conflict with cryptographic innovation in the 70s and 80s.  With the introduction of Diffie-Hellman public-key cryptography in 1978, the battle between preserving private communication and government’s ability to listen in has been largely in favor of the former.

In the 2010s, the NSA again became the center of attention in its role of spying on people and things it shouldn’t.  Its Prism program, which apparently allowed for spying on American citizens’ communications via email, phone, and social media ran afoul of civil protections.  These revelations were part of the widely publicized WikiLeaks, Edward Snowden affair.

In response to this, the NSA has since undergone a PR overhaul including public outreach efforts. Like the IRS, improbably transforming its image from implacable machine to benevolent institution concerned with customer service.  They even do presentations now.

In 2018, Congress confirmed General Paul M. Nakasone as head of the NSA.  He recently described the US cyber defense posture, not surprisingly devoting a fair amount of space to the unfolding situation in Ukraine, but also touching on strategic highlights such as Iran, North Korea, ransomware, and election security.  With respect to China, he makes the interesting observation that “China is our pacing challenge, which I see as both a sprint and a marathon.”

U.S. Cyber Command (CYBERCOM)

CYBERCOM is the NSA’s sibling in the defense department, headquartered alongside the NSA at Fort Meade.  CYBERCOM was founded in 2009 and is a unified combatant command, the highest division within the U.S. military. 

There has been talk of separating the NSA and Cyber Command, but at this time they remain under a unified command, currently General Nakasone—known as a ‘dual-hat’ arrangement.

What is the difference between the two organizations? Given that the organizations are so steeped in secrecy, the difference is hard to determine exactly.  The NSA and Cyber Command operate (largely) with different legal authority, the former under Title 50 intelligence and the latter under Title 10 military authority.  This difference seems to be reflected in a more offensive-leaning posture to CYBERCOM. 

Although the mission statements for the NSA and CYBERCOM both read as similar—bland, yet encompassing descriptions of almost any kind of virtual activity—there is a subtle difference.

For example, CYBERCOM has this to say: “United States Army Cyber Command directs and conducts integrated electronic warfare, information and cyberspace operations [...] through cyberspace and the information environment, and to deny the same to our adversaries.”

Notable in the description is the word “warfare.”  Again the clandestine nature of the organization makes it hard to say, but perhaps CYBERCOM has its hand in alleged offensive activities like attacks on Iran and Russia.

Increasingly, cyberspace is seen as a battleground where conflict can play out with less risk than actual troop confrontation, and the ongoing invasion of Ukraine is no exception.

Cybersecurity & Infrastructure Agency (CISA)

CISA is the centerpiece in the federal government's most recent effort to respond to the cyber threat.  Its mission is to “lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.” 

CISA was founded in 2018 with a broad mission to protect infrastructure in general, but as the placement of cybersecurity indicates in the organization's title, with a prominent focus on securing infrastructure from cyber threats.  In general, CISA has a more defensive and regulatory stance than NSA or CYBERCOM.  It was central in defining the regulatory response to the KeyStone pipeline attack.  As a regulatory body, CISA is an organization that enforces compliance within the federal government, as detailed by its directives.

Also front and center for CISA is election security, as highlighted by CISA’s strategic intent document.  The organization interfaces with both the state and federal governments to shore up election infrastructure.

Although CISA is a more civilian-leaning body, its current head Jen Easterly, confirmed in 2021, is an alum of U.S. Army Intelligence and Cyber Security

National Institute of Standards and Technology (NIST)

NIST’s mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” 

In the realm of cybersecurity, NIST is focused on the nuts-and-bolts of cryptography.  It played a role in the story of developing modern cryptography (both symmetric and asymmetric). 

These days, NIST continues to have a hand in defining crypto standards and is leading the charge in developing post-quantum secure crypto algorithms

Deputy National Security Advisor for Cyber and Emerging Technology

The Deputy National Security Advisor for Cyber and Emerging Technology is currently Anne Neuberger, appointed in 2021 after working at the NSA.  This office is part of the National Security Council, advising the president on cybersecurity and helping to enact his orders across the landscape of agencies. 

For example, on 3/8/22, Anne Neuberger issued a statement describing how President Biden’s cybersecurity order was being executed with respect to enforcing security in all software—including open source components—used by the government.

In that order you can see the efforts of the deputy national security advisor to direct multiple agencies and private sector organizations into unified action.

National Cyber Director

The Office of the National Cyber Director (ONCD) is the most recent addition to the pantheon, created in 2021 and currently held by Chris Inglis.  This role is another advisor to the president, quite similar in intent to the advisor for cyber and emerging technology just described.  It is an office still in the process of building out its capabilities, with a focus on guiding unified action across the government.

It describes its mission as four-fold:

  • Ensuring federal coherence
  • Improving public-private collaboration
  • Aligning resources to aspirations
  • Increasing present and future resilience

Here we can very much see the efforts of the government to bring the multitude of different agencies under a common umbrella of leadership with respect to their cyber security missions.

The FBI

Of course, no tour of the federal cyber security landscape would be complete without a look at the FBI, which describes itself as “the lead federal agency for investigating cyber attacks and intrusions.” 

Their legacy stretches into the pre-digital past, and their image (or their cyber website, frankly) may not be as burnished with a modern, relevant glow by the new focus on cyber security as the other organization above, but to its credit are numerous cyber busts, like tracking down and arresting the international group behind the Zeus trojan thefts, dismantling the Coreflood botnet and recovering much of the Colonial Pipeline ransom

The FBI has a broad mandate in cyber security, running the gamut from simple fraud to elaborate, international ransomware organizations.

The cyber security e pluribus unum

As you can see, the most recent efforts of the federal government are in trying to define a comprehensive strategy that embraces such a sprawling empire.  Indeed, the above portrait is just a thumbnail sketch—it doesn’t even include the CIA, whose mission includes “cutting-edge digital and cyber tradecraft and IT infrastructure.”  Or how about the FTC’s responsibility for COPPA (Children’s Online Privacy Protection Act), or the TSA’s heavy involvement in cyber security requirements.

In fact, like every business is now a software business, every agency is now a cybersecurity agency. A central challenge in promoting US national cyber security is driving cohesion within the bureaucratic architecture.

Related:

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.