Homeland Security

Converging Cyber and the Physical

By Paul Rosenzweig
Monday, December 7, 2015, 9:06 AM

Form should follow function.  That's a cardinal rule of architecture and also a cardinal rule of corporate organization.  Anyone who saw where hackers successfully took remote control of a Jeep Cherokee knows that, in the cyber domain, cybersecurity is quickly converging with physical security.  Physical risks are cyber enabled and cyber risks have a physical component.

At DHS the National Protection and Programs Directorate has, broadly speaking, overall responsibility for coordinating risk reduction to critical American infrastructure.  For many years (mostly as a legacy) the directorate has divided its protection mandate into two distinct parts -- one physical and one cyber-related.  Of late, NPPD has recognized that this dichotomy is misguided.  of the institution to house physical and cyber security elements in the same component, to be named "Infrastructure Security."

All reorganizations come at a cost.  But this cost, it seems to me, is one well-worth incurring.  Allowing merged components to cross-walk cyber and physical risks will optimize our response to both of them.  The reorganization is fundamentally a good idea.

Rumors off the Hill suggest, however, that some disagree.  They seek to prohibit the reorganization with a rider on the CISA cybersecurity bill. I'm not sure whether the opposition is parochial or just a "don't rock the boat" reaction to change but whatever the source, it is the wrong instict.  Some 70-80% of the reorganization can be done without Congressional authority.  The remainder will require affirmative approval.  At a minimum, Congress should allow NPPD to optimize its organization to meet cyber and physical threats under existing authority.  Even better would be a positive approval of the change.  But the worst of all possible worlds would be a prohibition.  Form should follow function.