Cybersecurity policy has long been treated as a communications function instead of an operational mission, which creates a disconnect between cyber professionals and operators in the field, according to Daniel Austin, senior cybersecurity subject matter expert for the U.S. Space Force.
At the Engage Public Sector conference on May 28 in Washington, D.C., Austin outlined challenges facing cybersecurity teams and infrastructure operators, particularly in critical environments where operational resiliency and cyber requirements often collide.
“What I am finding is, from a policy perspective, we may have let the field down for a long time,” Austin said. “[Cybersecurity] has been viewed as something for the comms people to do, rather than an operational thing that we do, and that has served us well in terms of communications, not so well in terms of seeing the bigger cyberspace picture.”
He described a recurring divide between facility operators, who understand the physical terrain and disaster preparedness requirements, and cyber professionals, who may not fully understand operational constraints. Austin warned that cybersecurity teams can sometimes unintentionally jeopardize operational systems when implementing security measures if they do not understand engineering realities.
“We have a lot of work to do with regard to matching policy to what the people down at the user level are actually doing in their terrain, and how we apply money and guide success,” Austin said.
Austin pointed to one example within the Space Force where collaboration between cyber teams and utility providers has improved coordination and awareness.
“One of our locations has a cyber squadron where the leadership has a personal relationship with the public utilities that are base [dependent.] They put uniformed personnel in routine meetings … with those public utility engineers, so the collaboration can begin by crossing those boundaries,” he said.