Cybersecurity Needs a DOGE of Common Sense

Cyberattacks unquestionably represent a major security threat to our nation's critical infrastructures - communications, power and financial services. Firms in those industries must not only defend on a daily basis against random hackers and organized criminal groups but also prepare for far more sophisticated and powerful attacks by nation-states. (A recent example was the Salt Typhoon attack in which the Chinese infiltrated our communications infrastructure.)

Those firms are spending fortunes, hiring in some cases thousands of cybersecurity professionals and retaining specialty contractors. They have also established good, though largely undisclosed, relationships with the intelligence and law enforcement communities. In the case of financial services, firms also work closely with the Treasury Department, which has an Office of Cybersecurity and Critical Infrastructure Protection fully dedicated to supporting the sector in its cybersecurity efforts.

The banking industry, though, is uniquely subject to additional government intervention. Examiners from the federal banking agencies (Federal Reserve, OCC, FDIC) examine banks for their cybersecurity on a continuous basis. These agency examiners generally have no expertise in cybersecurity or technology and lack practical experience running a security program, much less one of the complexity they face at the nation's larger banks. They are not veterans of the NSA or Palantir but rather of bank examination training. They are cyber auditors. As a result, their efforts focus on forcing cyber teams to document detailed processes and then ensuring that they comply 100 percent of the time. They do not focus on outcomes.

Last year, a survey of bank Chief Information Security Officers - the people responsible for guarding against cyberattacks - revealed that they spent 30-50 percent of their time on compliance and examiner management; their teams spent 70 percent of their time on those functions. They reported on average over 100 requests for information leading up to an average examination, with anywhere from 75 to 100 supplemental requests during the exam. And 25 percent of examination requests duplicate requests from other agencies. They also anecdotally report major morale problems, including burnout and attrition among their staff driven by the need to respond to these requests within days or hours.

Six years ago, then-Treasury Secretary Mnuchin launched an effort to at least reduce the duplication of examination effort - convening all the banking agencies and urging them to conduct consolidated cyber exams for each bank. They began conducting an annual consolidated exam but. . . they also continued conducting their own individual exams.

It is time for a reassessment. Someone in government with national security responsibilities should decide whether having multiple teams of examiners regularly quizzing CISOs on their paperwork is a material boost to their security. If so, then that model should be rolled out to every other company that is part of our critical infrastructure. If instead it turns out that such a process yields few benefits or worse yet is in fact a major impediment to cyber defense (as seems likely), then someone should force bank examiners to stop. As in, immediately.

A better, common-sense alternative is to empower a single agency to support banks' efforts, rather than continuously examining their processes, employing a permanent staff with real expertise and connectivity to the intelligence and national security communities. The Treasury Department already houses such an office, which could play a larger role alongside its intelligence function.

Leadership is needed. Someone must take responsibility and establish the regime most responsible for defending our nation, as opposed to bureaucratic prerogatives. The stakes are simply too high.