By Andy Jabbour
- Following the House of Representatives, the US Senate needs to approve the re-designation of DHS’s National Protection and Programs Directorate (NPPD) to become the Cybersecurity and Infrastructure Security Agency (CISA);
- The President should nominate, and the Senate should confirm, Christopher Krebs as Under Secretary for NPPD and then as the first Director of National Cybersecurity and Infrastructure Security.
On 11 Dec, the US House of Representatives passed H.R. 3359 – Cybersecurity and Infrastructure Security Act of 2017. The bill, “amends the Homeland Security Act of 2002 to redesignate the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency (CISA) to be headed by a Director of National Cybersecurity and Infrastructure Security to lead national efforts to protect and enhance the security and resilience of U.S. cybersecurity, emergency communications, and critical infrastructure.”
Over the last few weeks, I’ve had two opportunities to hear the Senior Official Performing the Duties of the Under Secretary (God bless the US government, who else could come up with that…) Chris Krebs talk on this and the motivation and importance behind the name change. I was not sure what I thought on the issue but after hearing Chris speak on this topic, and with an understanding of the all-hazards threat environment our critical infrastructure is facing today, I agree with the importance of these changes.
There are several good reasons for the changes, to include: better positioning the newly minted Agency to lead the nation’s infrastructure security and resilience mission, to better coordinate the protection of the federal government’s networks and physical infrastructure, and to better assist public and private sector organizations manage their cyber risk. The new Agency would, “be composed of DHS components reorganized as: (1) the Cybersecurity Division; (2) the Infrastructure Security Division; and (3) the Emergency Communications Division,” and maintain responsibility for chemical facilities antiterrorism standards. The rebranding and realignment support DHS “to more effectively execute cybersecurity and critical infrastructure related authorities.”
“With the advancement of technology and our increased dependence on computer networks, nation states, hackers, and cybercriminals are finding new ways to attack our cyber infrastructure and expose vulnerabilities. This re-alignment will achieve DHS’s goal of creating a stand-alone operational organization, focusing on and elevating its vital cybersecurity and infrastructure security missions to strengthen the security of digital America and our nation’s critical infrastructure.” – House Homeland Security Committee Chair, Michael McCaul, 11 Dec 2017
It has been over ten years since I first walked into DHS offices at the Nebraska Avenue Complex, where I walked into NPPD, at the time supporting the Office of Infrastructure Protection prepare for the Top Officials IV exercise. I couldn’t tell you then what NPPD stood for and I still have to look it up when spelling it out today. National Protection and Programs Directorate is a painful, ambiguous organizational name that doesn’t say anything and that no one cares to remember. Reality is names matter, clarity matters, helping partners – particularly the owners and operators of critical infrastructure – clearly and properly understand the mission matter. Rebranding to Cybersecurity and Infrastructure Security Agency accomplishes that. It may still not be great, but it is clear. I can understand who I’m talking to. I can understand why this organization may be talking to me. Reorganizing to better support that mission and removing general support functions better executed elsewhere within DHS, allows the organization to focus on its essential missions and partners – which at this time, in this environment of endless cyberattacks and terrorism aspirations – is of vital importance.
National Protection and Programs Directorate is a painful, ambiguous organizational name that doesn’t say anything and that no one cares to remember
This week we saw another attempted terrorist attack in New York City. Also this week, FireEye reported on a deliberate, suspected nation-state sponsored cyberattack against critical infrastructure that “targeted systems (that) provided emergency shutdown capability for industrial processes,” and noted that they, “assess with moderate confidence that the attacker was 
developing the capability to cause physical damage and inadvertently shutdown operations.” FireEye also wrote, “the attacker’s long-term objective was to develop the capability to cause a physical consequence.”
The future of cyberattacks will increasingly involve blended attacks that will target our ever-more interwoven cyber-physical systems. Such attacks will have greater and greater impacts across critical infrastructure and we, as a nation, need to properly organize ourselves and prepare for the changing threat and risk landscape. It is important to have a single, recognizable, federal entity leading this coordinated effort across the federal government, in collaboration with state and local governments, and vitally, with the private sector critical infrastructure owners, operators, and
associations – directly and via their designated Information Sharing and Analysis Centers (ISACs) and the cross-sector National Council of ISACs.
In an increasingly blended, interwoven environment, our nation needs a primary agency to lead this coordinated effort and to efficiently work with critical stakeholders. That requires a clearly identifiable and properly organized federal entity and it requires a leader that has experience in government and with industry, in critical infrastructure, and in physical and cyber security. At this time, there are not a lot of individuals with that diverse background and the qualities of leadership needed to properly establish a new organization that is also actively engaged in operational issues across a very active, hostile threat environment.
Today’s threats demand a properly organized federal entity and a leader that has experience in government and with industry, in critical infrastructure, and in physical and cyber security
For these reasons, our nation – its critical infrastructure, and the American people – need the Senate to move on these issues now and not to let politics and bureaucracy delay our ability to properly secure, prepare for, and respond to the many threats facing our country from terrorists, other extremists, hostile nations, and other actors across both physical and cyber security.
Earlier today, Shaun Waterman wrote that, “The bill passed by the U.S. House of Representatives to create a new cybersecurity agency inside the Department of Homeland Security faces a tough climb in the Senate despite bipartisan support, observers and staffers say.” We simply can’t afford for this to drag out.
With urgency, the US Senate needs to follow the House of Representatives and approve the re-designation and of DHS NPPD to become the Cybersecurity and Infrastructure Security Agency (CISA) and the President should nominate, and the Senate should confirm, Christopher Krebs as Under Secretary for NPPD and then as the first Director of National Cybersecurity and Infrastructure Security.
When it comes to securing and protecting our critical infrastructure, our nation’s leaders need to lean forward, and take action, to ensure the proper conditions exist for government and businesses to work together to secure, protect, and respond to the current and evolving threat environment.
This blog was written by Andy Jabbour, Gate 15’s Co-Founder and Managing Director. Andy leads Gate 15’s risk management and critical infrastructure operations with focus on Information Sharing, Threat Analysis, Operational Support & Preparedness Activities (Planning, Training & Exercise). Andy has years of experience working with partners across the critical infrastructure and homeland security enterprise to support national security and client business needs.
Maintain security and threat awareness via Gate 15’s free daily paper, the Gate 15 SUN and learn more about Hostile Events Preparedness and our HEPS Program here. Gate 15 provides intelligence and threat information to inform
routine situational awareness, preparedness planning, and to penetrate the decision-making cycle to help inform time-sensitive decisions effecting operations, security, and resources. We provide clients with routine cyber and physical security products tailored to the individual client’s interests. Such products include relevant analysis, assessments, and mitigation strategies on a variety of topics.
