The Situation Report: DHS Cyber Reorganization Gains Support

The Department of Homeland Security’s long-standing plans to reorganize the National Protection Programs Directorate (NPPD) to better deal with the growing threat of cyberattacks on national critical infrastructure may have received the boost it needed this week to obtain congressional approval.

In addition to establishing a coordination structure for responding to cyber attacks against the country, the new Presidential Policy Directive on United States Cyber Incident Coordination (PPD-41) has tasked DHS to write a national cyber incident response plan for critical infrastructure within the next 180 days. And that may be the key to getting Congress to approve the reorganization plan, according to Secretary of Homeland Security Jeh Johnson.

“We’re much more focused on cyberattacks on critical infrastructure, which is why I want to reorganize our National Protection Programs Directorate (NPPD), which is run by Suzanne Spaulding, into a cyber and infrastructure protection agency so that we, in a lean and mean way, marry up our cyber experts with our critical infrastructure protection experts into one agency working side-by-side,” Johnson said, speaking Wednesday at the annual Aspen Security Forum.

“That requires congressional approval. The House Homeland Security Committee is interested in this. I’m hoping that they will push it through the entire House and get it through the entire Senate,” Johnson said. “Addressing cyber events focused on critical infrastructure is and has to be a national priority.”

Development of a national cyber incident response plan is long overdue. It was first called for in the National Cybersecurity Protection Act of 2014, sponsored by House Homeland Security Committee Chairman Rep. Michael McCaul, R-Texas. The new incident response structure created as part of PPD-41 is a step in the right direction, McCaul said.

“This vital plan will help ensure these recently passed cybersecurity laws we have been fighting for will be fully implemented and effectively carried out to strengthen our nation’s cybersecurity,” McCaul said in a statement issued in response to the release of PDD-41. “Finally, I hope the administration will take quick action to further clarify the parameters and the rules of engagement for cyber warfare.”

Refocusing DHS on cyber defense, response, and mitigation for critical infrastructure, such as the electric power grid or the financial services sector, comes at a logical time for the agency—which remains a work in progress in terms of integrating the 22 formerly independent departments and agencies that became DHS. The agency, and the nation as a whole, is facing a world in which nation-states have shifted from relying on cyber for purely intelligence collection operations to conducting more offensive attacks designed to manipulate political and economic outcomes in the real world.

Still, there remain differences of opinion on exactly what the restructuring of the NPPD should look like. The House Homeland Security Committee in June advanced a bill—the Cybersecurity and Infrastructure Protection Agency Act of 2016—that would keep the National Cybersecurity Division and the Infrastructure Protection Division separate entities.

The White House attracted the ire of some lawmakers earlier this summer when a draft DHS reorganization plan was leaked to the media and hadn’t been briefed to Congress, which has the authority to approve or disapprove any such reorganization. The perception that the Obama administration was planning to move forward unilaterally with a DHS reorganization did not help Johnson’s chances of getting support for his plan. Now, with PPD-41 in place and a nascent governmentwide cyber incident response structure taking shape, the DHS reorganization plan makes more sense than ever before.

“There’s the cop and there’s the fireman,” Johsnon said, describing the intent of PPD-41. “Jim Comey is the cop and I’m the fireman,” he said, referring to FBI Director James Comey. “So, when you want to report the crime, the hack, the threat, you go to law enforcement. If you need somebody to help you put out the fire—plug the vulnerability, prevent it from spreading, and root out the bad actor from your systems—the Department of Homeland Security is in the lead.”