Fearing ‘cyber 9/11,’ national security council stresses unified emergency response from agencies

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Cybersecurity and Infrastructure Security Agency, since its launch last year, has taken a collaborative approach as part of its mission to share cyber threat intelligence between the government and the private sector.

But a new report from the president’s National Infrastructure Advisory Council (NIAC) has urged CISA and its government partners to consolidate its multiple information-sharing and supply chain risk management endeavors.

CISA has taken steps to build a consolidated government response to a major cyber emergency, but Mike Wallace, Constellation Energy’s chief operating officer and the chair of the NIAC working group that wrote the report, said time is running out.

“Some of our recommendations may take time to implement, but we must start now,” Wallace said Thursday at a quarterly NIAC meeting held in the Eisenhower Executive Office Building. “We believe the clock is ticking down to a cyber 9/11.”

Among its recommendations, the council urges the president to create two new government organizations: a Federal Cybersecurity Commission (FCSC) to manage “catastrophic cyber risks to critical infrastructure,” and a Critical Infrastructure Command Center (CICC) to allow government intelligence analyst and private-sector cyber experts to better share threat information, including classified information.

Wallace said the FCSC would be different from current information-sharing enterprises by “breaking down federal stovepipes” and setting up a single government authority to coordinate private-sector cyber mitigation of cyber attacks that could compromise national security interests.

“There is currently no such central authority … Federal authorities either currently do not exist, have not been used, are not designated for quick application needed for cyber defense or would not be applied evenly across infrastructure sectors,” he said.

Rich Baich, the chief information security officer of AIG and a member of the NIAC working group, said nation-states have already targeted this critical infrastructure in the U.S.

The report, Baich added, recommends, “consolidating where appropriate, the multiple existing public and private sharing organizations into one coordinated and empowered entity.”

CISA Director Chris Krebs, who has recently spoken about the need for a unified government response to major cyber threats, said he viewed the report as a “performance evaluation” of government’s work so far, and outlined how much work lies ahead.

“Reports like today’s really resonate with me as the director of the CISA and the things we’re trying to do, we’ve done and we’re looking forward to do,” Krebs said.

Meanwhile, the NIAC report also recommends bringing several Cabinet secretaries together with the Office of Management and Budget and industry representatives for a symposium to clarify where the FCSC would fit in the current cybersecurity ecosystem without duplicating efforts.

“For some, the creation of the FCFC may be controversial. We’re not naïve,” Wallace said. “We know the hurdles and the political realities that will make this a challenge. We also know that what we have developed after 90 days of work is not perfect. That’s why the symposium would provide the clarity needed to effectively implement the establishment of the commission.”

Earlier this year, members of Congress launched a Cyberspace Solarium Commission to create a single, unified strategy for large-scale cyber threats. The commission is expected to produce a final report to Congress before the end of December.

Meanwhile, CISA, through the National Risk Management Center, has identified 16 areas of national critical infrastructure that, while owned by private enterprise, have such a critical role on national security that they require government playing a supporting security role.

“National security is not our responsibility. The government’s responsible for national security. The challenge, obviously is they don’t control the assets. We control the assets,” Wallace said.

However, Wallace said recent laws, executive actions and proposed legislation have created a “patchwork of authorities that in some cases have not been applied in real-world situations.”

“The combined effect is that it is still unclear what authorities the government could bring to bear to respond to nation-state cyber threats,” he added.

The NIAC report also looks at ways to further blacklist and whitelist critical cyber products used in private critical infrastructure,

“Compromised components provide adversaries with a foothold into company networks that allows them to map, control and ultimately disrupt and destroy critical infrastructure efforts,” Wallace said.

On this recommendation, the NIAC working group has proposed borrowing a page from the Nuclear Regulatory Commission, which provides supply chain oversights for that industry.

“If we find a part or material that’s fraudulent, counterfeit or degraded, won’t perform its function, and we evaluate that that function has significant consequences that could jeopardize the health and safety of the public, we are obligated by law to take it out of our system and to file a report with the Nuclear Regulatory Commission,” Wallace said.

That report, in turn, gets publicly posted to NRC’s website, at which point all other nuclear energy companies must evaluate whether they have the same part of their systems.

“It’s a well-honed process, and the trigger is consequences for the health and safety of the public,” Wallace said. “In cybersecurity, it’s moving in the same direction.”