Criminal Justice & the Rule of Law

Converging Cyber and the Physical

Paul Rosenzweig
Monday, December 7, 2015, 9:06 AM

Form should follow function. That's a cardinal rule of architecture and also a cardinal rule of corporate organization. Anyone who saw the video earlier this year where hackers successfully took remote control of a Jeep Cherokee knows that, in the cyber domain, cybersecurity is quickly converging with physical security. Physical risks are cyber enabled and cyber risks have a physical component.

Published by The Lawfare Institute
in Cooperation With
Brookings

Form should follow function. That's a cardinal rule of architecture and also a cardinal rule of corporate organization. Anyone who saw the video earlier this year where hackers successfully took remote control of a Jeep Cherokee knows that, in the cyber domain, cybersecurity is quickly converging with physical security. Physical risks are cyber enabled and cyber risks have a physical component.

At DHS the National Protection and Programs Directorate has, broadly speaking, overall responsibility for coordinating risk reduction to critical American infrastructure. For many years (mostly as a legacy) the directorate has divided its protection mandate into two distinct parts -- one physical and one cyber-related. Of late, NPPD has recognized that this dichotomy is misguided. Leadership has proposed a reorganization of the institution to house physical and cyber security elements in the same component, to be named "Infrastructure Security."

All reorganizations come at a cost. But this cost, it seems to me, is one well-worth incurring. Allowing merged components to cross-walk cyber and physical risks will optimize our response to both of them. The reorganization is fundamentally a good idea.

Rumors off the Hill suggest, however, that some disagree. They seek to prohibit the reorganization with a rider on the CISA cybersecurity bill. I'm not sure whether the opposition is parochial or just a "don't rock the boat" reaction to change but whatever the source, it is the wrong instict. Some 70-80% of the reorganization can be done without Congressional authority. The remainder will require affirmative approval. At a minimum, Congress should allow NPPD to optimize its organization to meet cyber and physical threats under existing authority. Even better would be a positive approval of the change. But the worst of all possible worlds would be a prohibition. Form should follow function.


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare