Blog Editor’s Note: It is always good to see the government prioritizing PNT, though in this case it is one of 55 very important things they are concerned about.
This also highlights the fragmented approach to PNT within the federal government. Defense transmits the GPS signal, Transportation is responsible for providing terrestrial backup capability, and Homeland Security has taken on warning people that it is important and suggesting ways they can protect themselves, including using better receivers.
Nominally, FCC is responsible for ensuring no accidental or malicious transmissions to block GPS, though the resources they have for this have been drawn down over the last ten years.
We wonder if such a divided effort with little to no coordination and leadership is sufficient to protect the nation.
Homeland Security Says PNT a “National Critical Function”
The Department of Homeland Security (DHS) has designated positioning, navigation, and timing services (PNT) a “National Critical Function.” That is PNT is now officially a capability so vital to the United States that its “disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety.”
The decision reflects a new approach by the agency aimed at improving its understanding of the 55 functions on the new national critical list, DHS said in an explanation. Rather than focusing on a static sector or on assets, “this more holistic approach is better at capturing cross-cutting risks and associated dependencies that may have cascading impact within and across sectors.”
“By viewing risk through a functional lens,” said DHS on its website, “we can ultimately add resilience and harden systems across the critical infrastructure ecosystem in a more targeted, prioritized, and strategic manner.”
This could be a boon for the PNT community. Years ago DHS recognized PNT as a cross dependency among 13 of the 16 critical sectors of the nation’s infrastructure—such as the financial and telecommunications networks. Even so the agency did not appear to give PNT the coordinated analysis and scrutiny given early on to the sectors.
DHS’s focus sharpened, however, as the consequences of a break in GNSS service became more clear. The British found that the UK could lose £1 billion per day (about $1.263 billion) if GNSS experienced a major disruption. Experts agreed that the Cybersecurity Solarium Commission created by Congress late last summer should consider PNT to be a cybersecurity issue.
Then DHS Secretary Kirstjen Nielsen concurred, making PNT one of her top priorities in a push last year to protect U.S. cybersecurity.
“A lot of us think about that when we use a GPS device on our phone, whether it’s Google Maps or Waze, perhaps. But that’s also what allows us to settle our bank accounts. It’s also what allows a hospital to give you microsurgery. It allows air traffic control to flow,” Nielsen told the Security Innovation Network (SINET) conference in November according to Cyberscoop.
Despite the priority the agency appears to now be putting on protecting satellite navigation, it seems like DHS is starting over on work that has been quietly underway for a number of years.
“I’m sure they’re not going to throw away any of the work that they’ve done,” said Dana Goward, president and executive director of the Resilient Navigation & Timing Foundation, “but they do have a new organization and as you can tell from their publication they have a process. And so they’re starting at the beginning of the process and being thorough.”
The next step, according to DHS, is to build a tiered risk register where priority is given to risk areas where mitigation and collective action is needed. The Cybersecurity and Infrastructure Security Agency (CISA), which is managing the process, will be asking representatives from across government and industry “what keeps them up at night.”
More specifically they want to know about:
- Scenarios that could plausibly cause national-level degradation of NCFs.
- The likelihood and consequence of each scenario—leveraging existing sources, such as sector risk assessments, where possible.
- How disruptions to one NCF could cascade and impact other NCFs.
- The status of risk management efforts and the degree to which stakeholders are ready to further engage in communitywide efforts to mitigate risks.
CISA will periodically update and share what they learn with the critical infrastructure community, including government agencies and sector coordinating councils.
As for new regulations, DHS has long had a very light touch, Goward noted. Agency officials have stressed in the past that most infrastructure is privately held and they believe voluntary best practices for protecting assets, if developed collaboratively, would be more widely adopted.
“So with PNT and everything else” said Goward, “I don’t think we should expect to see any kind of real strong direction or regulation—more than what we’ve already seen.”
Blog Editor’s Post Script: Here is the process DHS will use for the 55 National Critical Functions:
CISA Risk Management Process
- Publish National Critical Functions
- Convene public and private stakeholder groups connected by
- Identify and validate scenarios of concern
- Engage with stakeholders to conduct risk analysis
- Assess risk from interdependencies and concentrated dependence on technology
- Use risk and scenario analysis to build a tiered Risk Register
- Consider risk and readiness for action to prioritize plans
- Convene teams to develop collaborative strategies
- Coordinate risk management and implementation plans