By Mary Wang. October 4, 2018.
If you’re any bit like me, the first images that come to mind at the word “cybersecurity” are Elliot from Mr. Robot and Penelope from Criminal Minds, or maybe just a hooded figure in a dimly lit room. But if you’re Deb Crawford from the National Security Agency (NSA), the first thoughts that come to mind probably align more with protecting information, systems, and national security.
At Duke’s first Cyber Club meeting last Monday, I was lucky enough to hear Crawford, an Internet of Things research lead at the Laboratory of Analytic Sciences, speak about how cyber fits into the federal government. The National Cyber Strategy had been signed by President Trump a few days prior, the latest version in 15 years, and Crawford explained that this strategy sets the overarching goals of his administration; the Secretary of Defense then elaborates on implementation in a Department of Defense cyber strategy, and the military lists missions and tasks to accomplish those objectives. Establishing a national strategy in the cyber domain highlights the growing importance of cyberspace to the U.S. government, one that is well-articulated in the first sentence of that same strategy: “America’s prosperity and security depend on how we respond to the opportunities and challenges in cyberspace.”
Crawford stressed those words when answering the broad question of how the government responds to security threats in cyberspace. It turns out there is no single answer, though she did promise us a key. The United States government has a hierarchy of organizations that may all be involved in cyber. Their different jurisdictions are determined by a complicated hierarchy chart with so many parts that, to fit them all on the presentation screen, the text was shrunk almost too small to be read. After a minute of squinting, I was relieved when Crawford announced that we didn’t need to—the key was one small box that listed the U.S. Code and its different titles.
Jurisdiction is based on intentions, Crawford explained, and the titles in the U.S. Code define the jurisdictional authority of different agencies. For example, Title 10 assigns the Department of Defense to national defense, allowing it to take military action, while Title 50 gives the Office of the Director of National Intelligence (ODNI) jurisdiction over intelligence operations.
Pretend you are the CEO of a company that was just hacked. Would you expect the NSA at your door? What about the U.S. military? You probably don’t want either of the two; you would expect the FBI, because that’s who has jurisdiction over prosecution of criminal actions.
What if jurisdiction isn’t clear or it overlaps? Crawford pointed back to the U.S. Code each time. She answered that it was simple: jurisdiction is based on intention. Based on the U.S. Code, one agency will take lead on the response, and other agencies will provide support in interagency coordination. The need for that cooperation, Crawford explained, is why the commander of the U.S. Cyber Command is also the director of the NSA.
Interesting enough, the way Crawford pointed back to the U.S. Code when asked some version of “who would be in charge of x?” portrayed better organization than I expected in federal government approaches to cybersecurity. In the television shows I’ve watched, it’s common to see officials from different agencies arguing over who has jurisdiction on the case, the agencies they’re from most often being the FBI and CIA. By pointing back to the U.S. Code each time, she made it clear that conflict of jurisdiction was not as dramatic as the Hollywood portrayals might seem.
In the past decade, it has become obvious at the national level that cybersecurity and cyber attacks are not just the stuff of television shows. While we—or maybe just me?—have been watching crime dramas portray hacking as 10-second flashes of code across computer screens, our government has been laying real groundwork to address the advances of cyber threats to national security. It is high time for us to learn about what’s going on, and Deb Crawford’s talk was a great introduction.
Mary Wang is a first-year majoring in computer science and a member of the Duke Cyber Team.