What can DoD, civilian cyber efforts learn from the Coast Guard approach to maritime security?

There may be an answer to the long-running debate about whether to split U.S. Cyber Command from the National Security Agency and where does the civilian sector fit in to the offensive side of the cyber equation.

Sen. John McCain (R-Ariz.), chairman of the Armed Services Committee, offered an idea at a recent hearing with Adm. Mike Rogers, commander of U.S. Cyber Command and director of NSA, that seems to have real legs.

McCain suggested that the Coast Guard could be a model for how cybersecurity is organized in the federal government.

“That Coast Guard has an interesting mix of authorities that may be just as applicable in cyberspace as they are in territorial waters. They’re both an agency within the Department of Homeland Security as well as a branch of the armed services. They can operate both within the United States and internationally and can seamlessly transition from law enforcement to military authorities,” McCain said at the May 9 hearing. “A cyber analog to the Coast Guard could be a powerful tool for addressing gaps that impede our existing organizational structure. It could also serve as a much-needed cyber first response team responsible for immediate triage and handoff to the appropriate federal entity for further response, remediation, or law enforcement action.”

Advertisement

Think about it for a second—cybersecurity crosses boundaries similar to drug smuggling and pirating. If the Navy had to hand off to the Coast Guard every time a speed boat carrying drugs crossed into U.S. territorial waters, imagine the inconvenience and hassle that would cause.

How is cyber any different? When an attack emanates from a foreign country on a military base or a critical infrastructure provider, is it a law enforcement or military responsibility to respond? So far it’s been the FBI taking the lead with investigations, and the Homeland Security Department performing clean up duties.

McCain and other members are concerned about the increasingly distributed roles and responses to cyber attacks.

“Achieving a credible deterrent requires integration of capabilities and focus policy development across the Department of Defense. As well as through the whole of government involving DOD, the State Department, the intelligence community, DHS and the Justice Department. We had not seen evidence yet that the new administration appreciates these urgent problems and intends to address them. The cyber command, specifically,” said Sen. Jack Reed (D-R.I.), ranking member of the committee. “The committee has heard concerns that our military cyber forces are almost exclusively focused on the technical aspects of cyberspace operations such as detecting network intrusions, expelling intruders and figuring out how to penetrate a network of adversaries. The concern is that this focus misses the crucial cognitive element of information operations conducted through cyberspace.”

The Coast Guard, on the other hand, protects the nation’s waterways in a multi-dimensional way.

Retired Adm. James Loy, who served as the Coast Guard’s commandant for four years and DHS deputy secretary for two years in the 1990s to the mid-2000s, said the service is a blend of military tactics and law enforcement authorities.

“The picture Sen. McCain is painting is the ability to have constructed means by which they can fly back and forth between law enforcement and military tactics, and have the policy to get done what they have to by law,” said Loy, who now is a senior counselor with the Cohen Group. “On the law enforcement side, the service has led efforts to provoke bilateral arrangements with Caribbean countries so they are acting on behalf of the country. They have the flexibilities and are designed with the intent to move between regulatory and military tactics that the senator is describing as a model. That is enormously effective for the Coast Guard.”

Loy said while he’s not an expert on cybersecurity, the analogy is a good one because the point McCain is making is all about flexibility to meet the mission.

“Is there a version of that in the cyber world that would be valuable?” he said. “There is a similar degree of those kinds of policy aspects, tactical utilization of resources and an end game of efficiency and effectiveness so the model may have application.”

McCain’s concern seems to be about the long-term sustainability of the current set up. While a spokesman for his office offered nothing further about this idea of a Coast Guard model, the senator did press Rogers on this question during the hearing.

Rogers said it was sustainable, but questioned whether it was the most effective way to address cybersecurity concerns.

“My recommendation, my input to the process has been — our challenge is, so we built a foundation with a series of very specialized and distinct responsibilities and yet I think what experience has taught us over the last few years is it’s our ability to respond in a much more integrated focused way is really the key to success here,” Rogers said. “And I think that’s the challenge, how do we more formally integrated these capabilities across the government.”

The Defense Department has a report due to the committee on or about June 23 on military/non-military options available to deterring and responding to imminent cyber threats. Congress asked for the report in the 2016 National Defense Authorization Act.

Rogers said he know DoD is working on the report.

Loy said the Coast Guard adapted its mission space and response over the last 25 years or more. DoD, DHS, the FBI and others don’t have that luxury with cybersecurity.

“If you just look at gradual emergence of this challenge, DoD has been concentrating on things in space and cyber related from the offensive and defensive perspective for a long time, but it’s the maturation of both the threat and the vulnerabilities and capabilities that causes some more direct thinking to be considered for organizational mashups,” he said. “To the degree the rose was pinned on DHS to be responsible for areas not related to DoD, think about what that did and the enormous complexity has caused over the last decade or more of thinking about how to do that. I can see that morphing with ultimate responsibility with some sort of cyber organization, every bit as responsible for cyber as the Coast Guard is for the maritime domain. Whoever gets the rose pinned on them will serve the nation better based on this preparation.”

Return to the Reporter’s Notebook