16 December 2019

Advisory group looks to redesign federal cyber response

By Derek B. Johnson

A government advisory group is warning that escalating cyber threats to critical infrastructure represent "an existential threat to continuity of government, economic stability, social order and national security."

While this conclusion is not novel -- U.S. policymakers have known for years that the nation's infrastructure contains massive targets for hackers and foreign governments -- a new draft report released this week by the National Infrastructure Advisory Council argues that current efforts have fallen short.

"America's companies are fighting a cyber war against multi-billion-dollar nation-state cyber forces that they cannot win on their own," members of the group wrote in a companion letter to the White House. "Incremental steps are no longer sufficient; bold approaches must be taken. Your leadership is needed to provide companies with the intelligence, resources, and legal protection necessary to win this war and avoid the dire consequences of losing it."


With that warning comes a recommendation to create a new Critical Infrastructure Command Center to improve real-time information sharing efforts, a dedicated push by intelligence agencies to prioritize the collection and dissemination of intelligence about threats against critical infrastructure from state and non-state actors, an all-inclusive one-day top-secret briefing to critical infrastructure CEOs and a national exercise in 2020 to pilot the new structure.

The report also asks the White House to issue an executive order creating a new independent government body to protect critical infrastructure and appoint a senior leader to implement the recommendations listed in the report. The Federal Cybersecurity Commission would be charged with monitoring and stopping cyberattacks against critical infrastructure that rise to the level of a national security threat. The commission would also help to bridge the gap between government and infrastructure companies in the energy, financial services and communications sectors while also serving as an expert resource for other federal agencies.

Finally, the report asks the Department of Justice to analyze the governments existing legal authorities to see if additional federal powers are needed to protect critical infrastructure and provide liability protection so companies can blacklist and whitelist certain technologies while expanding current initiatives to test vendor equipment for vulnerabilities.

Throughout the report, NIAC authors stress that these changes are not meant to undermine or replace current government efforts, but it's not immediately clear how overlap would be avoided.

Chris Cummiskey, former deputy undersecretary for management at the Department of Homeland Security, said in an interview that DHS' Cybersecurity and Infrastructure Security Agency has already done a good job carving out roles and responsibilities among its different offices and communicating those roles to Congress. While existing CISA entities could be altered or revamped to incorporate the council's recommendations, he's "not sure it would be helpful" to stand up additional organizations with potentially overlapping missions.

"You don't have to necessarily create new organizations to do this, I think there are places now in CISA as a result of congressional action to stand up a separate agency to take on these kind of mission sets," Cummiskey told FCW, later adding, "I'd be surprised if a call for a new center would gain immediate support unless a pretty compelling argument could be made for an additional organization."

He also said the recommendation for DOJ to examine new legal authorities to compel critical infrastructure organizations to take certain actions was worth exploring but had the potential to backfire.

"I thought it was interesting because the more you require those critical infrastructure organizations to do things … it starts to get a little dicey, you'll get pushback from the private sector as a result."

The report comes the same week that NIAC holds its quarterly business meeting, where CISA Director Chris Krebs and members of the report's working group are scheduled to give public comments.

No comments: