The Department of Homeland Security (DHS) is reorganizing the vast directorate responsible for cybersecurity and the nation’s critical infrastructure. Thus far, however, protecting the GPS signals essential to most of that infrastructure hasn’t rated a public mention in the plans.
The reorganization of the National Protection and Programs Directorate (NPPD) got underway in July, the month after the Office of Personnel Management revealed a computer beach that left the fingerprints and personal information of 5.6 million federal employees in the hands of hackers.
The Department of Homeland Security (DHS) is reorganizing the vast directorate responsible for cybersecurity and the nation’s critical infrastructure. Thus far, however, protecting the GPS signals essential to most of that infrastructure hasn’t rated a public mention in the plans.
The reorganization of the National Protection and Programs Directorate (NPPD) got underway in July, the month after the Office of Personnel Management revealed a computer beach that left the fingerprints and personal information of 5.6 million federal employees in the hands of hackers.
The new structure aims to put more cyber experts in the field — DHS got authorization in November to hire 1,000 more cyber specialists — and link them closely and more operationally with their counterparts in state and local government and the private sector.
"We need to take a holistic approach across cyber and physical risks that the private sector increasingly takes and reflects the world that they face — a world in which cyber and physical . . . are increasingly intertwined," Suzanne Spaulding, NPPD under secretary, told lawmakers in an October 7 hearing.
"Ultimately the transition we are talking about is about strengthening operations, our ability to make a difference on the ground in partnership with our stakeholders in government and the private sector," she told the House Subcommittee of Cybersecurity, Infrastructure Protection, and Security Technologies.
"To fully accomplish this objective we need excellence in our mission support functions, particularly acquisition and program management. This plan includes not only some restructuring of the organization but also cultural, governance and process changes and even changing our name,” Spaulding added.
Noticeable by Its Absence
What she did not mention in her testimony, which according to a DHS spokesman provides the only publicly available description of the reorganization, is where GPS protection fits in.
There is no question that DHS has a role in protecting the use of GPS signals in the United States. In the 2004 National Security Presidential Directive-39 (NSPD-39) the agency was, among other tasks, given responsibility for finding and identifying sources of interference to GPS signals and developing ways to "ensure continuity of operations" should GPS be disrupted or denied.
Although other parts of DHS have undertaken GPS-related work — most notably research into GPS vulnerabilities — protection responsibilities have fallen to the NPPD, which appears largely to have ignored them even though GPS is considered an essential element for 13 of the nation’s 16 designated critical infrastructure sectors.
"The challenge that they have is that they have so many things to do that the . . . protection of GPS, which is essential to our critical infrastructure and our cyber security — is something that they heretofore have not focused on it all," said Dana Goward, president and executive director of the resilient Navigation & Timing Foundation, which has been advocating for a back-up to GPS.
That doesn’t mean that GPS is being left out entirely. The truth is NPPD has said very little about what they are doing — so little that lawmakers have been complaining pointedly for months about having to learn about the reorganization through press leaks, a reorganization that they must approve, at least in part. Chris Currie, the director of the Government Accountability Office (GAO) team watchdogging DHS, told lawmakers during the hearing he didn’t have enough information to offer a perspective on the reorganization.
Saying Nothing about Much . . . and Vice Versa
Indeed, a GAO report on the reorganization consisted largely of observations on best practices and a summation of earlier findings. DHS has been holding its planned changes so close that the agency has resorted to boilerplate packaging of testimony. When Spaulding and her two deputy under secretaries testified, they submitted a single set of prepared remarks.
What Spaulding did tell subcommittee is that NPPD is realigning along three areas of endeavor that promise 1) greater unity of effort across the organization, particularly across cyber and physical threats, vulnerabilities, consequences, and mitigation; 2) enhanced operational activity; and 3) an “excellence in acquisition” program management and other mission support functions. The focus she said was on putting people in the field — adding that more information should be available by the end of the year.
"They will be out there every day with those owners and operators," said Spaulding, "doing not just physical security assessments but cyber security assessments. Identifying ahead of time critical vulnerabilities, configurations, and working with them in collaboration with the NCCIC [National Cybersecurity & Communications Integration Center] and our cyber ‘ninjas,’ as I call them, on mitigation measures.
The new structure Spaulding described could well open a practical path to weaving in GPS signal protection and increased awareness of the how much critical infrastructure relies on GPS — something the U.S. Space-Based Positioning, Navigation, and Timing Advisory Board has underscored and DHS has acknowledged. Caitlin Durkovich, assistant secretary for infrastructure protection in NPPD has described GPS as a single point of failure for critical infrastructure, said Goward.
Given that, Goward added, "it would be nice to be able to find somewhere in their plans and the documents something indicating the importance of GPS and how they are communicating with industry and what they are actively doing to ensure that it is protected."
