Converging Cyber and the Physical

Form should follow function. That's a cardinal rule of architecture and also a cardinal rule of corporate organization. Anyone who saw the video earlier this year where hackers successfully took remote control of a Jeep Cherokee knows that, in the cyber domain, cybersecurity is quickly converging with physical security. Physical risks are cyber enabled and cyber risks have a physical component.

At DHS the National Protection and Programs Directorate has, broadly speaking, overall responsibility for coordinating risk reduction to critical American infrastructure. For many years (mostly as a legacy) the directorate has divided its protection mandate into two distinct parts -- one physical and one cyber-related. Of late, NPPD has recognized that this dichotomy is misguided. Leadership has proposed a reorganization of the institution to house physical and cyber security elements in the same component, to be named "Infrastructure Security."

All reorganizations come at a cost. But this cost, it seems to me, is one well-worth incurring. Allowing merged components to cross-walk cyber and physical risks will optimize our response to both of them. The reorganization is fundamentally a good idea.

Rumors off the Hill suggest, however, that some disagree. They seek to prohibit the reorganization with a rider on the CISA cybersecurity bill. I'm not sure whether the opposition is parochial or just a "don't rock the boat" reaction to change but whatever the source, it is the wrong instict. Some 70-80% of the reorganization can be done without Congressional authority. The remainder will require affirmative approval. At a minimum, Congress should allow NPPD to optimize its organization to meet cyber and physical threats under existing authority. Even better would be a positive approval of the change. But the worst of all possible worlds would be a prohibition. Form should follow function.