Former Facebook CSO Calls for New U.S. Defensive Cyber Agency

The former chief security officer at Facebook urged in a column published today on the “Lawfare” blog that the U.S. consider creating an independent, “defense-only” cybersecurity agency to deal with defense of election systems and processes that may come under attack by adversaries.

Alex Stamos, who stepped down earlier this month as CSO at Facebook, and previously headed security operations at Yahoo, included his suggestion for a new Federal cybersecurity agency among a list of steps to improve U.S. election security for 2020 – after concluding that “it’s already too late to protect the 2018 elections.”

On the cyber agency front, he singled out the National Security Agency and U.S. Cyber Command as “hyper-competent intelligence and military security organizations” but noted they are focused on offensive operations and face legal restrictions for domestic operations. The Department of Homeland Security, likewise, is focused on critical infrastructure protection, he said. That leaves the Federal Bureau of Investigation, Stamos said, as the “de facto agency coordinating cyber defense” in the U.S., but its long investigative timelines don’t “comport well with preventing attacks in the first place.”

“The United States should consider following its closest allies in creating an independent, defense-only cybersecurity agency with no intelligence, military or law enforcement responsibility,” Stamos said.

“In the run-up to the most recent French and German elections, the respective cybersecurity agencies of these countries had access to intelligence on likely adversaries, the legal authority to coordinate election protection and the technical chops to work directly with technology platforms,” he said. “These organizations were independent enough to work directly with the relevant political campaigns, and their uncompromised mandates made them effective partners for multinational tech companies.”

In addition to considering a defense-only cybersecurity agency, Stamos called on Congress to set legal standards that address online disinformation for both social media and online advertising providers.  While some social media providers including Facebook and Google have taken steps to deal with misinformation campaigns, Stamos said that work was voluntary and could be reversed, and he asserted that “the rest of the massive online advertising industry has kept changes to a minimum.”

Finally, he also said that all 50 states need to build robust election protection capabilities, and that Americans as a whole need to “demand that future attacks be rapidly investigated, that the relevant facts be disclosed publicly well before an election, and that the mighty financial and cyber weapons available to the president be utilized immediately to punish those responsible.”

Recent