The latest federal advisory group to examine the problem of cybersecurity has reached an all-too-familiar conclusion: the government and U.S. companies have plenty of capabilities to defend the nation from cyber attacks, but they’re scattered throughout various organizations in ways that dramatically blunt their effectiveness.
But the latest study’s authors say they’re taking an approach that they hope will keep their report from gathering dust on a shelf. It includes detailed prescriptions for precisely which agencies need to do what in order to solve the problem, along with measures to hold agencies accountable for following through, including high-level oversight from the National Security Advisor.
The National Infrastructure Advisory Council (NIAC) undertook the study at the direction of the White House – one of 14 such reports that were required by President Donald Trump’s May executive order on cybersecurity. Focusing on the protection of the nation’s most “high value” assets, the group drafted 11 separate recommendations after consulting with three dozen cybersecurity experts and examining 140 different federal cybersecurity capabilities and authorities.
“We find ourselves at a crucial point. We are in a pre-9/11 cyber moment,” said Michael Wallace, a retired energy executive who co-chairs the NIAC cyber working group. “We have the opportunity to be proactive in this limited window before our nation experiences a watershed cyber attack, and we’re calling on the administration to take bold and decisive actions.”
Some of the recommendations call for direct action by federal agencies; others ask the government to play a supporting role, coordinating work by private-sector entities and giving them new incentives to shore up their own cyber posture.
In the latter category, the report calls on the departments of Homeland Security and Energy, the Office of the Director of National Intelligence, the National Security Council and the Strategic Infrastructure Coordinating Council to help identify unused “dark fiber” that could be turned into a secure command and control network for critical infrastructure. The proposed network would be more resilient to cyber attack, because it would be physically isolated from the public internet.
Similarly, the panel called for the government to set aside wireless spectrum to be used as a backup emergency communications network in the event of a major nationwide cyber attack that spanned multiple critical infrastructure sectors.
The authors called for the same agencies to facilitate an industry-led pilot program to demonstrate the ability to share electronic signatures of cyber threats directly between government and industry machines, in real time.
“We heard repeatedly in our interviews that the public and private sectors remain unable to move actionable information to the right people at the speed required,” Wallace said. “Machine-to-machine information sharing technology shows promise, but it is still immature, with significant legal, liability, technology, trust and cost challenges.”
Also, the NSC and DHS should make the federal government’s own cyber threat scanning capabilities available to private companies, particularly small and medium firms with lower levels of “cybersecurity maturity,” the panel said. The program would be voluntary on industry’s part, and the government would share some of the implementation costs.
And to encourage companies to invest in their own cybersecurity, the report urges agencies to set up a temporary system of incentives. In order to qualify, firms would have to have implemented the National Institute of Standards and Technology’s cybersecurity framework. The authors suggest a range of “market-based” incentives ranging from tax credits to a waiver from otherwise-required government audits.
Among the more direct actions federal agencies should take: an overhaul of the processes members of industry have to undergo in order to access classified information. For instance, the report said all agencies should prioritize their clearance issuance processes so that at least two key personnel at each company that operates critical infrastructure assets can gain a top-secret clearance. Also, agencies should make those clearances universally accepted by one another and expand the number of sensitive compartmentalized information facilities (SCIF) while also making it easier to transfer information between SCIFs operated by different agencies.
“The clearance process is time-consuming, inefficient and difficult to navigate,” said Robert Carr, the cyber working group’s other co-chair and the CEO of Heartland Payment Systems, a major credit card processor. “Existing clearances are not easily transferred from one federal agency to another, and without easy and quick access to these information facilities, even cleared individuals can’t receive information quickly.”
As another way to speed the sharing of cyber threat information, the panel said agencies should take steps to quickly declassify information and disseminate it to infrastructure owners. That recommendation would require intelligence agencies to expand their mission in a way that counts critical infrastructure operators among their customers so that they can share intelligence directly with them. The report also recommended embedding more private-sector representatives in government information sharing centers, perhaps through a significant expansion of DHS’ National Cybersecurity and Communications Integration Center (NCCIC).
“Our processes to share classified intelligence were designed for slower-paced threats decades ago,” Carr said. “Federal agencies remain unable to rapidly declassify the less-sensitive elements of a potential threat, like threat indicators and vulnerabilities, which leaves companies in the dark for too long. Embedding cleared private-sector representatives will allow them to work alongside analysts to inform the declassification process.”
And to make sure federal agencies and critical infrastructure operators are using all of their defensive capabilities in concert, the panel’s recommendations would set up a public-private task force broken down into three tiers, ranging from the technical experts who can detect and mitigate threats to CEOs and agency leaders who have the decision-making authority to put resources against those threats.
The Cyber Operational Task Force would use the new NIAC report as a starting point for its work, which would also include better coordination of the day-to-day activities already performed by the federal government’s six separate cybersecurity centers and the 140 authorities various agencies already have at their disposal.
“The substantial capabilities among federal agencies are divided, uncoordinated and often duplicative, making them insufficient to address cyber threats,” Wallace said. “A nation-state cyber attack on U.S. infrastructure today places private companies on the front line. This represents a national security challenge unlike any other, and requires a new level of national leadership and coordination. The Cyber Operational Task Force pilot could also be used to evaluate effective cyber governance models from other nations, and, in the end, recommend a new approach for the U.S.”
To ensure agencies act on all of the recommendations, the report also recommends that the White House direct the National Security Advisor to personally oversee its implementation.
Within six months, he would have to convene a meeting of senior officials from the agencies concerned and address any roadblocks to implementing the report in full.
“There is an urgent need to act,” Wallace said. “Major attacks and watershed incidents — like the 9/11 attacks — have historically triggered a new level of strategic, coordinated action driven by public demand and strong political will. We have an opportunity today to demonstrate foresight and leadership before a cyber attack that severely disrupts critical services.”