The President’s National Infrastructure Advisory Council (NIAC) calls for ‘bold action.’
This week, the President’s National Infrastructure Advisory Council released a draft of a memo on infrastructure cybersecurity. According to the memo, the United States is not sufficiently prepared to address existing cyber risks to critical infrastructure.
The memo is the result of a months long examination, prompted by the National Security Council, into how the federal government and private sector can work together to address the security of highly targeted private infrastructure. According to the NIAC’s findings, escalating cyber risks threaten the continuity of government, economic stability, social order, and national security.
“U.S. companies find themselves on the front lines of a cyber war they are ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure. Bold action is needed to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures,” the memo says. “The nation is not sufficiently organized to counter the aggressive tactics used by our adversaries to infiltrate, map, deny, disrupt, and destroy sensitive cyber systems in the private sector.”
In a report set to be released December 12, the NIAC says the government has failed to adequately address cyber threats to critical infrastructure. The report details a series of recommendations for steps the government can take to better aid the private sector currently fighting what the NIAC calls a “cyber war against multi-billion-dollar nation-state cyber forces.” The NIAC calls on the government to take “bold action” to address the growing threat.
Among the report’s recommendations is the creation of a Critical Infrastructure Command Center to enable real-time data sharing and processing between the public and private sector to allow for the development of actionable intelligence and threat mitigations. The CICC would involve a 24/7 watch floor where intelligence operatives and cybersecurity experts could monitor threats and take action when necessary to mitigate attacks.
The report also recommends the formation of a Federal Cybersecurity Commission tasked with mitigating catastrophic cyber risks to critical infrastructure. The FCSC would be an independent U.S. government entity that would serve as a bridge between the government and at risk companies in the energy, financial services, and communications sectors.
“Your leadership is needed to provide companies with the intelligence, resources, and legal protection necessary to win this war and avoid the dire consequences of losing it,” the memo says. “Establishing the CICC and FCSC will empower our nation to meet, engage, and thwart those who choose to target our critical infrastructure.”
The report also calls for direct action to improve supply chain cybersecurity. Hackers often target the supply chain in order to gain access to critical infrastructure, using malware and other tactics to compromise digital equipment.
In an effort to curb supply chain risk, the U.S. government passed the National Defense Authorization Act for Fiscal Year 2014, which gave the Secretary of Energy the authority to “use classified threat information to end contracts or eliminate companies from contract competitions without providing cause if it is based on classified information.” However, according to the report the Department of Energy has yet to use this authority.
In addition to utilizing the NDAA, the NIAC also advocates for expanding the DOE’s procurement authority. The report calls for the government to provide liability protection to allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure.
“Incremental cybersecurity improvements cannot keep pace with the rapid, asymmetric offensive strategies used by nation-states to infiltrate, map, and compromise the cyber networks of U.S. critical infrastructure,” the report says. “The past 20 years of well-meaning government efforts have shown that our national approach to securing the cyber assets of critical infrastructure are far less than optimal. Radical new approaches are needed that combine the extensive capabilities and resources of government and industry to protect private sector networks where failure could result in catastrophic impacts on public safety, economic stability, and national security.”