Cybersecurity Can Learn From Maritime Security

There may be an answer to the long-running debate about whether to split US Cyber Command from the National Security Agency and where does the civilian sector fit in to the offensive side of the cyber equation. 

Senator John McCain  chairman of the Armed Services Committee, offered an idea at a recent hearing with Adm. Mike Rogers, commander of US Cyber Command and director of NSA, that seems to have real legs.

McCain suggested that the Coast Guard could be a model for how cybersecurity is organised in the federal government.

“That Coast Guard has an interesting mix of authorities that may be just as applicable in cyber-space as they are in territorial waters. They’re both an agency within the Department of Homeland Security as well as a branch of the armed services.

They can operate both within the United States and internationally and can seamlessly transition from law enforcement to military authorities,” McCain said at the May 9 hearing.

“A cyber analog to the Coast Guard could be a powerful tool for addressing gaps that impede our existing organisational structure. It could also serve as a much-needed cyber first response team responsible for immediate triage and handoff to the appropriate federal entity for further response, remediation, or law enforcement action.”

Cybersecurity crosses boundaries similar to drug smuggling and pirating. The Internet is similar to the oceans and seas.

If the Navy had to hand off to the Coast Guard every time a speed boat carrying drugs crossed into US territorial waters, imagine the inconvenience and hassle that would cause.

How is cyber any different? When an attack emanates from a foreign country on a military base or a critical infrastructure provider, is it a law enforcement or military responsibility to respond? So far it’s been the FBI taking the lead with investigations, and the Homeland Security Department performing clean up duties.

McCain and other legislators are concerned about the increasingly distributed roles and responses to cyber-attacks.

“Achieving a credible deterrent requires integration of capabilities and focus policy development across the Department of Defense. As well as through the whole of government involving DOD, the State Department, the intelligence community, DHS and the Justice Department. We had not seen evidence yet that the new administration appreciates these urgent problems and intends to address them. The cyber command, specifically,” said Sen. Jack Reed (D-R.I.), ranking member of the committee.

“The committee has heard concerns that our military cyber forces are almost exclusively focused on the technical aspects of cyber-space operations such as detecting network intrusions, expelling intruders and figuring out how to penetrate a network of adversaries. The concern is that this focus misses the crucial cognitive element of information operations conducted through cyber-space.”

The Coast Guard, on the other hand, protects the nation’s waterways in a multi-dimensional way.

Retired Adm. James Loy, who served as the Coast Guard’s commandant for four years and DHS deputy secretary for two years in the 1990s to the mid-2000s, said the service is a blend of military tactics and law enforcement authorities.

“The picture Sen. McCain is painting is the ability to have constructed means by which they can fly back and forth between law enforcement and military tactics, and have the policy to get done what they have to by law,” said Loy, who now is a senior counselor with the Cohen Group.

“On the law enforcement side, the service has led efforts to provoke bilateral arrangements with Caribbean countries so they are acting on behalf of the country. They have the flexibilities and are designed with the intent to move between regulatory and military tactics that the senator is describing as a model. That is enormously effective for the Coast Guard.”

Loy said while he’s not an expert on cybersecurity, the analogy is a good one because the point McCain is making is all about flexibility to meet the mission.

“Is there a version of that in the cyber world that would be valuable?” he said. “There is a similar degree of those kinds of policy aspects, tactical utilization of resources and an end game of efficiency and effectiveness so the model may have application.”

McCain’s concern seems to be about the long-term sustainability of the current set up. While a spokesman for his office offered nothing further about this idea of a Coast Guard model, the senator did press Rogers on this question during the hearing.

Rogers said it was sustainable, but questioned whether it was the most effective way to address cybersecurity concerns.

“My recommendation, my input to the process has been, our challenge is, so we built a foundation with a series of very specialised and distinct responsibilities and yet I think what experience has taught us over the last few years is it’s our ability to respond in a much more integrated focused way is really the key to success here,” Rogers said. “And I think that’s the challenge, how do we more formally integrated these capabilities across the government.”

The Defense Department has a report due to the committee on or about June 23 on military/non-military options available to deterring and responding to imminent cyber threats. Congress asked for the report in the 2016 National Defense Authorization Act.

Rogers said he knew DoD is working on the report.

Loy said the Coast Guard adapted its mission space and response over the last 25 years or more. DoD, DHS, the FBI and others don’t have that luxury with cybersecurity.

“If you just look at gradual emergence of this challenge, DoD has been concentrating on things in space and cyber related from the offensive and defensive perspective for a long time, but it’s the maturation of both the threat and the vulnerabilities and capabilities that causes some more direct thinking to be considered for organisational mashups,” he said.

“To the degree the rose was pinned on DHS to be responsible for areas not related to DoD, think about what that did and the enormous complexity has caused over the last decade or more of thinking about how to do that.

“I can see that morphing with ultimate responsibility with some sort of cyber organisation, every bit as responsible for cyber as the Coast Guard is for the maritime domain. Whoever gets the rose pinned on them will serve the nation better based on this preparation.”

Federal News Radio:

You Might Also Read:

Will NSA & CyberCom Split?:

US Must Project Cyber Warfare Capabilities to Deter Attacks:

 

« Binky: An Anti-Social Media Simulator
Power Companies Cyber ‘Nightmare’ »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Kroll

Kroll

Kroll provides clients a way to build, protect and maximize value through our differentiated financial and risk advisory and intelligence.

TrustArc

TrustArc

TrustArc provide privacy compliance and risk management with integrated technology, consulting and TRUSTe certification solutions – addressing all phases of privacy program management.

Neupart

Neupart

Neupart provides Information Security Management System, Secure ISMS, allowing organisations to automate IT Governance, Risk and Compliance management.

TROOPERS

TROOPERS

TROOPERS InfoSec event consists of two days of high-end training, followed by a two-day, three-track conference, culminating in Roundtables on the final day.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Beyond Identity

Beyond Identity

Beyond Identity employs an elegantly simple concept, the personal certificate authority and self signed certificates, to replace passwords.

Immunefi

Immunefi

Immunefi provides bug bounty hosting, consultation, and program management services to blockchain and smart contract projects.

StarLink

StarLink

StarLink is an acclaimed Value-Added Distributor across the Middle East, Turkey and Africa regions with on-the-ground presence in 20 countries including UK and USA.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

Orchestrate Technologies

Orchestrate Technologies

Orchestrate Technologies provides computer network and IT managed services for small and mid-market clients as well as small enterprise businesses.

Acclaim Technical Services (ATS)

Acclaim Technical Services (ATS)

ATS provide operational products, services and solutions to the defense and intelligence communities for all types of critical mission needs.

Guardian Angel Cyber

Guardian Angel Cyber

Guardian Angel Cyber, is your trusted ally in safeguarding your digital assets and online presence.

Custocy

Custocy

Custocy is a unique collaborative AI technology that identifies sophisticated and unknown (zero-day) attacks.

iConnect IT Business Solutions DMCC

iConnect IT Business Solutions DMCC

iConnect is a trusted IT Solutions and Technology Services company, proudly serving clients across the Middle East and Africa.