On August 22, the President’s National Infrastructure Advisory Council (NIAC) released a report on urgent cyber threats to critical infrastructure, including cyber threats to high-risk assets in the energy, finance, transportation, healthcare, and communications sectors.
First created by Executive Order in October 2001, the NIAC is an advisory group convened under the Federal Advisory Committee Act that includes senior executives and owners from industry as well as state, local, and former federal government officials. Its mission over the past 16 years has been to advise the president on ways for the public and private sector to reduce complex risks to critical infrastructure. In the wake of President Trump’s issuance in May of Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the National Security Council (NSC) asked the NIAC to examine how federal authorities and capabilities can be used to support the cybersecurity of high-risk critical infrastructure assets, and in particular what more should be done to secure those assets at greatest risk of a cyberattack that could result in catastrophic regional or national effects on public health, safety, economic security, or national security.
Cyber, the NIAC report observes, is “the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure.” While noting the depth of federal capabilities and related authorities available to support cyber defense and resilience, the report underscores persistent gaps in preparedness that could lead to catastrophic outcomes and highlights the shared responsibility of the public and private sector to act swiftly to address them. The report urges “bold, decisive actions” from the new administration and offers 11 concrete recommendations to address the growing threat.
In keeping with the NSC tasking, many of these recommendations focus on federal government processes and organization, including streamlining the security clearance process and threat information declassification process, creating a public/private cyber security task force to lead on cyber defense, leveraging an upcoming nationwide, government-led security exercise, and establishing an “optimum cybersecurity governance approach” to coordinate nationwide cyber defense. Importantly, the report also promotes cybersecurity strategies that are geared toward private sector owners and operators, including:
- Establishing separate, secure backup communications networks. NIAC recommends leveraging existing but unused fiber networks (“dark fiber”) for critical system traffic or even reserving broadcast spectrum for backup communications in the event of an emergency. The report praises power companies who have already moved their operational systems to dedicated, closed networks with limited access points.
- Engaging in threat information-sharing. NIAC recommends that critical infrastructure owners/operators engage in automated, machine-to-machine cyber threat information-sharing. The report finds that both public and private sectors “remain unable to move actionable information to the right people at the speed required by cyber threats.”
- Using proper scanning tools and assessment practices. NIAC found a widespread failure to understand the magnitude or complexity of cybersecurity risks facing critical infrastructure. Critical infrastructure owners/operators must employ the best-in-class intrusion detection and prevention tools and practices. NIAC calls on the NSC and Department of Homeland Security (DHS) to work with critical infrastructure operators to scan and sanitize their systems on a voluntary basis.
- Strengthening the cyber workforce. NIAC notes a major predicted shortfall of qualified cyber experts in the next five years, and limited public sector understanding of private sector systems. NIAC recommends a public-private exchange program of cybersecurity experts, and expansion of federal cyber workforce programs, including scholarships and sponsored clearances for college-level cybersecurity students.
- Upgrading technologies and infrastructure to meet NIST standards. NIAC recommends that organizations be required to implement the NIST Cybersecurity Framework. To help reinforce that implementation, NIAC proposes that the government offer tax credits or other incentives for critical infrastructure owners/operators who meet those standards.
It remains to be seen to what extent the NIAC’s recommendations will gain traction with the current administration and (as necessary) with Congress. But the report is the latest to sound a cautionary note about the urgent nature of the threat and the closing window that exists to address it through closer coordination between government and industry. The public and private sectors could together offer “tremendous cyber capabilities and resources,” the report states, but realization of that potential has fallen short in the face of a growing threat, creating “a narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack.”