A cyber-security task force, created to advise the White House on both potential and imminent threats, has issued a warning that national cyber-security efforts are “falling short.”
The President’s National Infrastructure Advisory Council (NIAC) is composed of senior executives from industry and State and local government.
The council was established by executive order in October 2001 to advise the President on practical strategies for industry and government to reduce complex risks to the designated critical infrastructure sectors. At the President’s request, NIAC members conduct in-depth studies on physical and cyber risks to critical infrastructure and recommend solutions that reduce risks and improve security and resilience.
“Our review of hundreds of studies and interviews with 38 cyber and industry experts revealed an echo chamber, loudly reverberating what needs to be done to secure critical U.S. infrastructure against aggressive and targeted cyber-attacks,” NIAC’s most recent report, released this month, says. “Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure. When a cyber-attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities.”
“We believe the U.S. government and private sector collectively have the tremendous cyber-capabilities and resources needed to defend critical private systems from aggressive cyber-attacks—provided they are properly organized, harnessed, and focused. Today, we’re falling short,” it adds.
NIAC calls on the Trump administration to use “this moment of foresight to take bold, decisive actions.” Among the report’s primary recommendations:
Establish separate, secure communications networks specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies;
Facilitate a private-sector-led pilot of the machine-to-machine information sharing technologies, led by the electricity and financial services sectors, to test public-private and company-to-company information sharing of cyber-threats at network speed;
Identify best-in-class scanning tools and assessment practices, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis;
Develop a voluntary, cost-shared scanning and assessment program that provides onsite tools and expertise to help organizations test their systems for malware using best-in-class tools, sanitize their systems, and identify government and industry tools and service providers to upgrade and maintain system security;
Establish a “Center of Excellence” to showcase best-in-class tools across the industry and provide a test bed environment for companies to test and evaluate new software, particularly for use by small and medium-sized companies;
Establish a set of limited time, outcome-based market incentives that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices;
Streamline and significantly expedite the security clearance process for owners of the nation’s most critical cyber-assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident;
Establish clear protocols to rapidly declassify cyber-thread information and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber-attacks; and
Establish an optimum cyber-security governance approach to direct and coordinate the cyber-defense of the nation, aligning resources and marshaling expertise from across federal agencies.
“The public and private sectors remain unable to move actionable information to the right people at the speed required by cyber threats,” the report warns. “Threat information and mitigations must move at network speed. Advances in machine-to-machine information sharing and automated mitigations show great promise.”
The report also notes a potential roadblock to data sharing between the public and private sectors. “Securely sharing real-time system data with the federal government requires significant trust regarding how the information will be protected, shared, and used,” it says. “Leaked data creates significant business risks and liability protections are not court-tested. As such, machine-to-machine sharing requires consensus on common technologies, data formats, protocols, and policies.”
“The most effective, value-added platforms will incorporate public-private and business-to-business information exchange,” the report adds. “The private sector has more raw, real-time network data of value, and sharing information between companies is often faster. Government analysis adds value by connecting the dots across companies to reveal potential threats, add intelligence insights, understand intent, and provide warnings. Today, the time required to vet, analyze, and obtain permission to share threats creates significant delays. Businesses can best lead the development of trusted solutions that meet their needs.”
The owners of critical systems can range from Fortune 100 companies to small businesses, with diverse risks, resources, and cybersecurity needs. “Customizable solutions are needed, and one-size-fits all tools are rarely effective,” the NAIC report says.
Also noted in the report are third-party risks. “Supply chain risks remain a struggle for system operators, who lack a trusted method to verify the provenance and custody of digital components from design and manufacture to integration and use,” it says. It recommends that the Department of Energy, the National Labs, and the Department of Homeland Security “could work with the electricity industry and component manufacturers to develop an industry-driven method to verify and certify supply chain security for operational technology system devices.”
The report warns government officials that, “the time to act is now.”
“As a nation, we need to move past simply studying our cyber-security challenges and begin taking meaningful steps to improve our cyber-security to prevent a major debilitating cyber-attack,” it says. “Our nation needs direction and leadership to dramatically reduce cyber-risks.”