The United States is failing to take full advantage of its collective capabilities to defend the nation against cyber threats due to a lack or organization between the private and federal sectors, says a draft report by a presidential advisory council.
“The President’s National Infrastructure Advisory Council (NIAC) believes the Federal Government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks—provided they are properly organized, harnessed, and focused,” says the pre-decisional report that was presented by a working group to the council during its quarterly business meeting on Tuesday. “Today, we’re falling short. Cyber capabilities and oversight are fragmented, and roles and responsibilities remain unclear. We’re simply not organized to keep up with the threat.”
The report was directed as part of President Donald Trump’s May 11 executive order on cyber security. The NIAC is comprised of senior executives in industry, and state and local governments that own and operate the nation’s critical infrastructures.
In an appendix attached to the report, the working group says that many of the experts it interviewed for its work cited the United Kingdom and Israeli governments as models for more effective “national cyber governance,” highlighting three key examples. One is that need for “one central point of federal cyber authority,” it says.
A second is ensuring that the government has a clear role in cyber offense to deter adversaries. Finally, “Cyber defense and cyber technology leadership are inextricably linked,” the report says.
The report highlights that infrastructure, in particular electricity and financial, that provides “vital services” to U.S. citizens is targeted by disruptive cyber attacks, putting “private companies on the front line” of cyber security, creating unique challenges.
“It is imperative that Federal and private roles in defending these systems are aligned and mutually supportive,” says the report, Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure.
There is hope, the report says.
“Fortunately, we find ourselves in a pre-9/11-level cyber moment, with a narrow and fleeting window of opportunity to coordinate our resources effectively,” it says.
The report makes 11 recommendations for various federal agencies and departments, including the White House National Security Council. Some of these recommendations include rapid declassification of cyber threat information to be shared “proactively” with critical infrastructures, expedited processing of security clearances for owners of the most critical infrastructures, and creation of outcome-based market incentives to upgrade their cyber capabilities to meet industry standards and best practices.
The federal government has key capabilities in defending the nation from cyber threats yet the private sector has “limited” knowledge of these and incentives to use them, the report says.
Another recommendation calls for establishing an operational pilot project that brings together executives in government and the electricity, finance and communications industries who can direct action and “marshal resources” in response to the top cyber threats.
The working group says that it won’t be easy to get the optimum coordination between various government and private actors, which is why it suggests piloting solutions to improve the way organizations and actors work together.