Of all the possible threats to the United States’ homeland security across domains, there is one that the dual-hatted chief of U.S. Northern Command and North American Aerospace Defense Command is acutely concerned about: attacks on critical infrastructure from cyberspace.
“Candidly, I worry a lot about the cyber domain and the unknowns in the cyber domain because the vast amount of our critical infrastructure that we rely on to project power from the homeland is not in DOD or federal entities. It’s in local industry, businesses, municipalities, … and so we have to be able to defend and protect that as well,” Gen. Glen VanHerck said Tuesday at the Politico Defense Summit.
While Northcom and NORAD don’t specifically conduct cyber defense operations, VanHerck said he works closely with leaders at U.S. Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA), the office responsible for cybersecurity and infrastructure protection under the Department of Homeland Security.
He noted that his organization would be called on if the Defense Department is tasked to provide support to civil authorities.
“I’m responsible for defense of the homeland, and in the case of an effect from a cyber attack I’ll provide defense support of civil authority — such as on an attack on a pipeline that basically limits fuel to the East Coast,” he said.
VanHerck has warned of threats to the United States’ critical infrastructure in the past and the need for more guidance on how the Pentagon would defend it.
At a webinar hosted by the Mitchell Institute in June, VanHerck said that he received approval from the Pentagon to put together a plan to do so. Now, he’s waiting to hear back from the department to see if his recommendations will yield capabilities for Northcom and NORAD.
“I conducted a commander’s estimate, essentially a plan of how we would defend that critical infrastructure. And I look forward to hearing back from the department,” he said.
VanHerck noted that his proposal divided the future defense of critical infrastructure between what operations and resources are needed in the future years defense program (a planning period covering the next five years) and in the long term. Although he didn’t give much detail, he said the plan considered all domains — including cyberspace.
“Not all of that has to be defended,” VanHerck said. “It may just be through resilience, such as cyber monitoring or actually hardening of the facility from a physical threat that allows us to generate the effect a policy drives on us.”