Increasing cyber security threats to the national government and evolving risk to critical infrastructure have driven the Department of Homeland Security’s National Protection and Programs Directorate (NPPD) to increase its operational focus, which will be enhanced by a proposed reorganization of the division, a senior department official told a House panel on Wednesday.
These “changes we believe are necessary to keep pace with the dynamic and evolving risks that our partners in government and the private sector face each and every day,” Suzanne Spaulding, under secretary of NPPD, told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. She added that the transformation is also meant to create a more “efficient and effective” organization.
Among its various responsibilities, NPPD manages cyber security efforts for the federal government, shares cyber threat information with the private sector, regulates anti-terrorism standards for chemical facilities in the United States, biometric identity matching services for DHS, and provides protective services to federal civilian owned and leased buildings and facilities.
Plans for the reorganization were leaked to the media in June, prompting frustration from some in Congress that the department was bypassing the need their legislative blessing.
In September a bipartisan group of lawmakers from the full committee wrote Homeland Security Secretary Jeh Johnson complaining about a lack of transparency from the department on the NPPD transformation plans and reminding him of the committee’s role in authorizing the reorganization (Defense Daily, Sept. 17).
Rep. John Ratcliffe (R-Texas), subcommittee chairman, said in his prepared remarks that although the committee and NPPD have worked well together on various legislation the past few years, he and other members of the panel were “disappointed” to learn of the proposed reorganization through media leaks, and receiving scant details of plans so far in briefings by DHS.
“Even more disappointing, the committee has heard that DHS leadership had planned to move forward unilaterally on several efforts without congressional review and approval,” Ratcliffe said.
Spaulding said the media leaks were premature and that Johnson at that time hadn’t even reviewed the proposed changes, which are still being worked with more details to come by the end of 2015. She acknowledged that Congress has to authorize any major reorganization of her directorate, which is also expected to be renamed to provide employees and stakeholders with a clearer identity.
The proposed changes to the directorate’s organization are supposed to achieve three priorities, Spaulding said, with the first being a greater unity of effort and more “holistic approach”, in particular with respect to cyber and physical threats, vulnerabilities, consequences and mitigation.
These changes “reflect a world in which cyber and physical…are increasingly intertwined,” Spaulding said. “We see this in the Internet of Things. We know that cyber attacks can have physical consequences.”
The other two priorities include strengthening operations, “our ability to make a difference on the ground” working with partners in government and the public sector, and improving mission support functions, “particularly acquisitions and program management,” Spaulding said.
Specific organizational changes to NPPD that are being proposed include the creation of three operational directorates: infrastructure security, cyber and network security, and the Federal Protective Service (FPS).
In her prepared remarks, Spaulding stated that the cyber directorate will be centered on an “enhanced and elevated” role for the department’s around-the-clock cyber watch center, the National Cybersecurity and Communications Center, also called the NCCIC. “The focus on this area of operational activity will ensure DHS is able to respond to malicious cyber activity at the speed demanded by the rapidly evolving threat, while closely aligning pre-incident prevention and protection with incident detection, response and recovery.”
The infrastructure security directorate will be focused on outreach and stakeholder engagement and include regionally-based field operations to include an array of advisers in areas such as protective and cyber security, emergency communications, and chemical security inspectors. The current Office of Cybersecurity and Communications in NPPD would become part of this new branch as would programs within the Office of Infrastructure Protection.
The FPS branch, which currently exists to provide protective services to federal facilities, will continue with that role but also have an enhanced focus on protecting cybersecurity aspects of these facilities in coordination with the NCCIC. The FPS will also “better integrate its field operations with field forces in Infrastructure Security to enable comprehensive security and resilience for our stakeholders, as well as co-locate incident management support with the combined watch functions of the NCCIC and National Infrastructure Coordinating Center to gain efficiencies and improve situational awareness,” Spaulding stated.
Chris Currie, the director of the Critical Infrastructure Protection Homeland Security and Justice Team at the Government Accountability Office, told the panel that it’s too early for his agency to know a lot of the details about the proposed restructuring but said NPPD does need to be able to “adapt” to changing threats. “However,” he cautioned, “our experience at DHS and other agencies has shown that its often the management issues that can creep in as problems later on after these things are done,” pointing to human capital and acquisition as examples. “These areas are just as critical to think through as the mission need that is driving the reorganization because they can hinder success.”