Homeland Security Watch

News and analysis of critical issues in homeland security

February 24, 2012

Creating a Cyber Coast Guard

Filed under: Congress and HLS,Cybersecurity,Private Sector — by Philip J. Palin on February 24, 2012

It is not yet clear if the Cybersecurity Act of 2012 will be taken up by the whole Senate — as previously announced — or disappear into committee review while under sustained attack by those opposed.

Senator John McCain, one of those opposed, has promised a competing piece of legislation:

The fundamental difference in our alternative approach is that we aim to enter into a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations. Our bill, which will be introduced when we return from the Presidents’ Day recess, will provide a common-sense path forward to improve our nation’s cybersecurity defenses.

Last Friday I outlined the perceived — in my judgment, real — tension between collaboration and compliance that any approach to effective cybersecurity will require. The real debate is over how to resolve this tension: with more dependence on voluntary cooperation or the threat of regulation. (To be clear, the proposal unveiled on February 14 by Senators Lieberman, Collins, and others does not create new regulations per se, but it does initiate a public-private process that would eventually create a regulatory regime.)

Some private sector organizations have welcomed the opportunity to frame-up the process, others are ready to do what they can to stop any movement to regulation. So far the private sector line-up on each side seems mostly to reflect revenue streams. Those that may make money on increased attention to cybersecurity are in favor of the current proposal, those that see cybersecurity mostly as a cost are opposed. (The cost-benefit discussion is, so far, not very sophisticated on either side.)

While the efficacy of the new bill is debatable, it is clear the current approach — depending almost entirely on voluntary collaboration — has not worked. The weakest links in the cybersecurity system are the least willing to show up, talk turkey, and truly collaborate in sharing information and changing behavior. What do you do when “pretty please”, earnest presentations on self-interest, and peer pressure do not work? What do you do when neglect by one “house” on the block endangers the safety of the entire block (or city)?

Sanctions are needed. But no matter how tough, sanctions will not be sufficient. Whatever sack of sanctions are available, unless the sanctions are used to craft collaboration (rather than mere compliance) cybersecurity will not be enhanced.  The threat of regulatory sanctions may encourage collaboration, but a rigid regulatory approach alone will only achieve minimal compliance, which in cyberspace will always lag behind new threats and vulnerabilities.

Whichever of the current sides win, execution will be key. The current legislation addresses execution primarily under Title III through a DHS National Center for Cybersecurity and Communications. The new entity would combine several existing offices, and would be directed by a Presidential appointee confirmed by the Senate. Here are the director’s duties enumerated in the current legislation:

(1) manage Federal efforts to secure, protect, and ensure the resiliency of the Federal information infrastructure, national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States, working cooperatively with appropriate government agencies and the private sector;

(2) support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure;

(3) prioritize the efforts of the Center to address the most significant risks and incidents that have caused or are likely to cause damage to the Federal information infrastructure, the national information infrastructure, and national security and emergency preparedness communications infrastructure of the United States;

(4) ensure, in coordination with the privacy officer designated under subsection (j), the Privacy Officer appointed under section 222, and the Director of the Office of Civil Rights and Civil Liberties appointed under section 705, that the activities of the Center comply with all policies, regulations, and laws protecting the privacy and civil liberties of United States persons; and

(5) perform such other duties as the Secretary may require relating to the security and resiliency of the Federal information infrastructure, national information infrastructure, and the national security and emergency preparedness communications infrastructure of the United States.

Title III continues for another 28 pages. Included under Authorities and Responsibilities of the Center, “serve as the focal point for, and foster collaboration between, the Federal Government, State and local governments, and private entities on matters relating to the security of the national information infrastructure.”

On page 114 of the proposed legislation a supervisor training program for the Center is set out. The current language suggests Senator Akaka and his staff have persisted in pushing his perennial concerns. It’s all good. It could be better.

The currently proposed training program  is mostly internally focused. I suggest language be added to focus on mission achievement. Consider for a moment a supervisor training curriculum focused on just one of the duties listed above, ” support private sector efforts to secure, protect, and ensure the resiliency of the national information infrastructure”

What is the nature of the private sector?

What are the private sector’s current efforts related to cyberspace?

What does “secure”, “protect”, and “ensure the resiliency” of cyberspace mean?

What is the national information infrastructure?

What does it mean to “support” the private sector? Why this verb rather than another?

That would be an interesting — valuable — curriculum.   Develop similar curricula around each of the statutory goals, include private sector participants in the curriculum… and a whole new approach to private-public collaboration might be cultivated.

This curriculum should  include a heavy dose of culture, a culture of private-public collaboration.  If the Center becomes a cyber-SEC none of us will be any safer.   Cybersecurity cannot focus on accountability after-the-fact.  The focus must be on cultivating a culture of prevention and resilience, not compliance.

For this purpose, I propose the Akaka Academy for Cybersecurity give close attention to the way the Coast Guard cultivates a collaborative relationship with owners and operators of marine vessels. Just for a taste of what I mean, consider the implications of the following written instruction from a Coast Guard flag officer… and this is not atypical, this approach is entirely consistent with  standard Coast Guard practice.

The Coast Guard’s objective is to administer vessel inspection laws and regulations so as to promote safe, well equipped vessels that are suitable for their intended service. It is not the Coast Guard’s intent to place unnecessary economic and operational burdens upon the marine industry. In determining inspection requirements and procedures, inspection personnel must recognize and give due consideration to the following factors:

  • Delays to vessels, which can be costly, need to be balanced against the risks imposed by continued operation of the vessel, with safety of life, property, and the environment always the predominant factor over economics;
  • Certain types of construction, equipment, and/or repairs are more economically advantageous to the vessel operator and can provide the same measure of safety;
  • Some repairs can be safely delayed and can be more economically accomplished at a different place and time;
  • The overall safety of a vessel and its operating conditions, such as route, hours of operations, and type of operation, should be considered in determining inspection requirements;
  • Vessels are sometimes subject to operational requirements of organizations and agencies other than the Coast Guard; and
  • A balance must be maintained between the requirements of safety and practical operation. Arbitrary decisions or actions that contribute little to the vessel’s safety and tend to discourage the construction or operation of vessels must be avoided.

I know of no better example of effective private-public collaboration than that of the U.S. Coast Guard with the industry it helps regulate, serve, and sometimes save.  It is a cultural model well-suited to the cyber domain.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn

7 Comments »

Comment by William R. Cumming

February 24, 2012 @ 1:40 am

And the Administration’s bill[s]?

Does the Coast Guard get involved in safety issues during the construction phase of vessels?

Comment by Philip J. Palin

February 24, 2012 @ 5:17 am

In regard to USCG involvement in the construction phase, please see: http://www.uscg.mil/directives/ci/16000-16999/CI_16710_2A.pdf

Comment by Philip J. Palin

February 24, 2012 @ 5:22 am

Paul Rosenzweig has a helpful analysis of the bill’s current regulatory provisions at the Lawfare blog.

His comments include:

Given the predominance of offense over defense (at least at this time) in cyberspace, the likely most effective method of dealing with cyber vulnerabilities is to prepare for failure – that is, to establish plans for continuity of operations. I think it is fair to characterize Title I as focused far more on attack prevention than it is on recovery from attack – the only real mention of resiliency I can find is in section 105(b)(1)(C) where the regulations creating the performance requirements are (briefly) instructed to include rules requiring owners to “develop or update continuity of operations and incident response plans.

I agree. In many — perhaps most — homeland security efforts there is a continued preoccupation with security rather than resilience.

Comment by William R. Cumming

February 24, 2012 @ 7:32 am

Thanks Phil! So assume there is some feedback loop from accidents to the construction inspection phase. Wow! How many naval architects does USGS have on active duty or all contract? And the Coast Guard Academy’s basic degree is what? Current class size?

Pingback by Homeland Security Watch » A discussion on cybersecurity legislation

February 27, 2012 @ 3:55 am

[...] On one hand, the sausage-making portion of the discussion with congressional staff was interesting, if not too enlightening to one uninitiated in the dark legislative arts. On the other, former DHS Secretary Chertoff and former DNI McConnell seemed to echo some of Phil’s framing of the cyber issue in his last post. [...]

Pingback by Library: A Round-up of Reading | Res Communis

February 27, 2012 @ 4:38 pm

[...] Creating a Cyber Coast Guard – Homeland Security Watch [...]

Pingback by The internet and technocracy’s open secrets | Many fandoms, one love

May 21, 2013 @ 6:28 pm

[...] name of child protection. Would a Homeland Security version fall under the purview of the “cyber coastguard,” or are they tied-up invading our privacy for [...]

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>