Homeland Security

Converging Cyber and the Physical

By Paul Rosenzweig
Monday, December 7, 2015, 9:06 AM

Form should follow function.  That's a cardinal rule of architecture and also a cardinal rule of corporate organization.  Anyone who saw the video earlier this year where hackers successfully took remote control of a Jeep Cherokee knows that, in the cyber domain, cybersecurity is quickly converging with physical security.  Physical risks are cyber enabled and cyber risks have a physical component.

At DHS the National Protection and Programs Directorate has, broadly speaking, overall responsibility for coordinating risk reduction to critical American infrastructure.  For many years (mostly as a legacy) the directorate has divided its protection mandate into two distinct parts -- one physical and one cyber-related.  Of late, NPPD has recognized that this dichotomy is misguided.  Leadership has proposed a reorganization of the institution to house physical and cyber security elements in the same component, to be named "Infrastructure Security."

All reorganizations come at a cost.  But this cost, it seems to me, is one well-worth incurring.  Allowing merged components to cross-walk cyber and physical risks will optimize our response to both of them.  The reorganization is fundamentally a good idea.

Rumors off the Hill suggest, however, that some disagree.  They seek to prohibit the reorganization with a rider on the CISA cybersecurity bill. I'm not sure whether the opposition is parochial or just a "don't rock the boat" reaction to change but whatever the source, it is the wrong instict.  Some 70-80% of the reorganization can be done without Congressional authority.  The remainder will require affirmative approval.  At a minimum, Congress should allow NPPD to optimize its organization to meet cyber and physical threats under existing authority.  Even better would be a positive approval of the change.  But the worst of all possible worlds would be a prohibition.  Form should follow function.