Cybersecurity Can Learn From Maritime Security

There may be an answer to the long-running debate about whether to split US Cyber Command from the National Security Agency and where does the civilian sector fit in to the offensive side of the cyber equation. 

Senator John McCain  chairman of the Armed Services Committee, offered an idea at a recent hearing with Adm. Mike Rogers, commander of US Cyber Command and director of NSA, that seems to have real legs.

McCain suggested that the Coast Guard could be a model for how cybersecurity is organised in the federal government.

“That Coast Guard has an interesting mix of authorities that may be just as applicable in cyber-space as they are in territorial waters. They’re both an agency within the Department of Homeland Security as well as a branch of the armed services.

They can operate both within the United States and internationally and can seamlessly transition from law enforcement to military authorities,” McCain said at the May 9 hearing.

“A cyber analog to the Coast Guard could be a powerful tool for addressing gaps that impede our existing organisational structure. It could also serve as a much-needed cyber first response team responsible for immediate triage and handoff to the appropriate federal entity for further response, remediation, or law enforcement action.”

Cybersecurity crosses boundaries similar to drug smuggling and pirating. The Internet is similar to the oceans and seas.

If the Navy had to hand off to the Coast Guard every time a speed boat carrying drugs crossed into US territorial waters, imagine the inconvenience and hassle that would cause.

How is cyber any different? When an attack emanates from a foreign country on a military base or a critical infrastructure provider, is it a law enforcement or military responsibility to respond? So far it’s been the FBI taking the lead with investigations, and the Homeland Security Department performing clean up duties.

McCain and other legislators are concerned about the increasingly distributed roles and responses to cyber-attacks.

“Achieving a credible deterrent requires integration of capabilities and focus policy development across the Department of Defense. As well as through the whole of government involving DOD, the State Department, the intelligence community, DHS and the Justice Department. We had not seen evidence yet that the new administration appreciates these urgent problems and intends to address them. The cyber command, specifically,” said Sen. Jack Reed (D-R.I.), ranking member of the committee.

“The committee has heard concerns that our military cyber forces are almost exclusively focused on the technical aspects of cyber-space operations such as detecting network intrusions, expelling intruders and figuring out how to penetrate a network of adversaries. The concern is that this focus misses the crucial cognitive element of information operations conducted through cyber-space.”

The Coast Guard, on the other hand, protects the nation’s waterways in a multi-dimensional way.

Retired Adm. James Loy, who served as the Coast Guard’s commandant for four years and DHS deputy secretary for two years in the 1990s to the mid-2000s, said the service is a blend of military tactics and law enforcement authorities.

“The picture Sen. McCain is painting is the ability to have constructed means by which they can fly back and forth between law enforcement and military tactics, and have the policy to get done what they have to by law,” said Loy, who now is a senior counselor with the Cohen Group.

“On the law enforcement side, the service has led efforts to provoke bilateral arrangements with Caribbean countries so they are acting on behalf of the country. They have the flexibilities and are designed with the intent to move between regulatory and military tactics that the senator is describing as a model. That is enormously effective for the Coast Guard.”

Loy said while he’s not an expert on cybersecurity, the analogy is a good one because the point McCain is making is all about flexibility to meet the mission.

“Is there a version of that in the cyber world that would be valuable?” he said. “There is a similar degree of those kinds of policy aspects, tactical utilization of resources and an end game of efficiency and effectiveness so the model may have application.”

McCain’s concern seems to be about the long-term sustainability of the current set up. While a spokesman for his office offered nothing further about this idea of a Coast Guard model, the senator did press Rogers on this question during the hearing.

Rogers said it was sustainable, but questioned whether it was the most effective way to address cybersecurity concerns.

“My recommendation, my input to the process has been, our challenge is, so we built a foundation with a series of very specialised and distinct responsibilities and yet I think what experience has taught us over the last few years is it’s our ability to respond in a much more integrated focused way is really the key to success here,” Rogers said. “And I think that’s the challenge, how do we more formally integrated these capabilities across the government.”

The Defense Department has a report due to the committee on or about June 23 on military/non-military options available to deterring and responding to imminent cyber threats. Congress asked for the report in the 2016 National Defense Authorization Act.

Rogers said he knew DoD is working on the report.

Loy said the Coast Guard adapted its mission space and response over the last 25 years or more. DoD, DHS, the FBI and others don’t have that luxury with cybersecurity.

“If you just look at gradual emergence of this challenge, DoD has been concentrating on things in space and cyber related from the offensive and defensive perspective for a long time, but it’s the maturation of both the threat and the vulnerabilities and capabilities that causes some more direct thinking to be considered for organisational mashups,” he said.

“To the degree the rose was pinned on DHS to be responsible for areas not related to DoD, think about what that did and the enormous complexity has caused over the last decade or more of thinking about how to do that.

“I can see that morphing with ultimate responsibility with some sort of cyber organisation, every bit as responsible for cyber as the Coast Guard is for the maritime domain. Whoever gets the rose pinned on them will serve the nation better based on this preparation.”

Federal News Radio:

You Might Also Read:

Will NSA & CyberCom Split?:

US Must Project Cyber Warfare Capabilities to Deter Attacks:

 

« Binky: An Anti-Social Media Simulator
Power Companies Cyber ‘Nightmare’ »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Allen & Overy

Allen & Overy

Allen & Overy is an international law firm. Practice areas include Cybersecurity and Data Protection.

CIRCL

CIRCL

CIRCL is the national Computer Incident Response Center of Luxembourg

Avatier

Avatier

Avatier identity management software products automate identity access management, user provisioning and IT governance to ensure information security and compliance.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

SteelCloud

SteelCloud

SteelCloud has spent the last decade inventing technology to automate policy compliance, configuration control, and Cloud security.

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

e-Lock

e-Lock

e-Lock services include IT security consulting and training, security systems integration, managed security and technical support.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

Cyber Threat Alliance

Cyber Threat Alliance

CTA is working to improve cybersecurity of our digital ecosystem by enabling near real-time cyber threat information sharing among companies and organizations in the cybersecurity field.

Ockam

Ockam

Ockam gives you the tools you need to establish an architecture for trust within your connected device applications.

At-Bay

At-Bay

At-Bay offer an end-to-end solution to cyber risk with comprehensive risk assessment, a tailored cyber insurance policy and year-long, active, risk-management service.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.

LetsData

LetsData

LetsData uses AI to provide governments, intergovernmental organizations, civil society, and businesses with data-empowered decisions on communication in the age of online disinformation.