Heightened cyber risks to critical infrastructure present an “existential threat” to national security, the National Infrastructure Advisory Council (NIAC) cautioned in a newly published draft report.
The NIAC is composed of senior executives from industry and state and local government who own and operate critical infrastructure operations. The Council, which was established in 2001, conducts studies on physical and cyber risks to the nation’s vital sectors and recommends solutions to improve security and resilience. Its members include former National Security Agency Deputy Director Richard Ledgett.
The interim report, which was addressed directly to President Trump and entitled Transforming the U.S. Cyber Threat Partnership, warned that the nation is “ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure.” What’s needed, the members wrote, is “bold action to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures.” The 22-page document carries a December 12 date, when the group is expected to discuss the report, including remarks from Christopher Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
More than just a cyber security risk alarm is presented by NIAC members in the document. It also includes nine recommendations, starting with calling for a Critical Infrastructure Command Center (CICC) to improve real-time information sharing of public and private data.
In addition, the Council suggests:
- Direct the Intelligence Community to prioritize collecting, detecting, identifying, and disseminating information on efforts by nation-state and non-state actors to exploit, deny, or otherwise attack U.S. critical infrastructure.
- Conduct a one-day Top Secret/Sensitive Compartmented Information (TS/SCI) briefing to CEOs of identified energy, communications, and financial services companies on actions to counter cyber threats.
- Pilot test the CICC via the upcoming National Level Exercise 2020 by bringing together cleared private sector experts with intelligence officers and representatives from other key government agencies.
- Create the Federal Cybersecurity Commission (FCSC) as an independent U.S. government entity to mitigate catastrophic cyber risks to critical infrastructure.
- Convene a symposium of select Cabinet Secretaries, regulators, Office of Management and Budget (OMB) officials, CEOs, and industry representatives to clarify the functions, roles, responsibilities and processes of the Commission.
- Direct the Department of Justice to determine the ability of government to direct the private sector to implement cyber mitigations.
- Provide liability protection to allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure.
- Expand programs at the DOE’s national laboratories to independently test vendor equipment for vulnerabilities and report the results to private companies.
“Mr. President, America’s companies are fighting a cyber war against multi-billion-dollar nation-state cyber forces that they cannot win on their own,” the Council wrote. “Incremental steps are no longer sufficient; bold approaches must be taken. Your leadership is needed to provide companies with the intelligence, resources, and legal protection necessary to win this war and avoid the dire consequences of losing it.”