WASHINGTON — The U.S. is ill-equipped for a cyberattack capable of disrupting everyday American life. To better prepare, a bipartisan commission is calling on industry to formally systemically identify important critical infrastructure, or systems that underpin the economic, security, and health of critical U.S. functions.
While the government cannot shoulder all cybersecurity for critical infrastructure, once identified it can grant industry "unique authorities, resources and intelligence capabilities" to withstand sophisticated cyberattacks, according to the report published by the Cyberspace Solarium Commission Wednesday. If targeted, compliant entities would be granted a liability shield.
The U.S. government and industry, said the commission, have yet to make significant enough gains in preparation for a catastrophic cyberattack.
The commission's cyber recommendations are adoptable for the public and private sectors in the U.S., but it has no intention of "tearing down the system wholesale," said Rep. Mike Gallagher, R-Wisconsin, and co-chair of the commission, while speaking at the report's release Wednesday.
While legislative language has been drafted for recommendations, the report's reach is limited. Most of the report calls on what Congress "should" do in preparation for the future of cyber. The commission has started to draft recommendations into bills to make it "easy" on Congress, said Sen. Angus King, I-Maine, co-chair of the commission, while speaking Wednesday.
The report offers more than 75 recommendations organized among six policy pillars:
- Reform the U.S. government's structure and organization for cyberspace
- Strengthen norms and non-military tools
- Promote national resilience
- Reshape the cyber ecosystem
- Operationalize cybersecurity collaboration with the private sector
- Preserve and employ the military instrument of national power
While the nearly 200-page report acts as a guide to why, and more importantly how, the private sector can contribute to a national cyber strategy, commission members emphasized the importance of resilience and economic continuity — the third pillar.
Resilience is measured by how well an organization withstands and overcomes abnormal conditions, or the consequences of a cyberattack. Resilience starts with risk assessment.
"How can our economy absorb an attack and quickly restart," said Suzanne Spaulding, senior adviser at the Department of Homeland Security, International Security Program and Commission member, while speaking Wednesday.
Here are three of the commission's recommendations regarding preparation for national cyber resilience:
1. Consult with the private sector on economy continuity planning
One key aspects of report is the role the private sector will play in risk mitigation and preparation. Eighty percent of all critical infrastructure is owned by the private sector, according to Tom Fanning, CEO of Southern Company and Commission member, while speaking Wednesday. "We must pitch, not catch."
The commission identified industries with the potential of "upstream" disruption following a cyberattack:
Bulk power distribution
By identifying what industries uphold the U.S.'s economic health and even the confidence of U.S. citizens, a continuity plan should "give precedence" to those functions.
If necessary, a continuity plan could include "analog or retro systems" for critical services or industrial control networks. "Think paper ballots," said Samantha Ravich, Chairman of Foundation for Defense of Democracies' Center on Cyber and Technology Innovation and commission member, while speaking last week.
2. Establish a National Cybersecurity Assistance Fund
The government uses national funds to rebuild communities post-catastrophe, such as the Federal Emergency Management Agency. No such fund exists for cyber-related preparation or prevention.
The Commission recommends Congress pass a law granting funds be made available to public and private entities for solutions that are:
Considered a critical risk
Mitigation incentives are weak within the market without government funding
"A clear federal need, role and responsibility" to mitigate
U.S. markets aren't intended for national security, but some risks are national security risks, said Angela McKay, senior director of cybersecurity policy and strategy at Microsoft, while speaking at an event in Washington last week.
Regulation or cyber insurance have a role to play. There are also industries or sectors that don't consider themselves as strong contributors to the cybersecurity ecosystem, like toy companies, said McKay. The U.S. has to consider "what the market cannot bear."
3. Establish a five-year National Risk Management Cycle
Malicious actors measure success by the gravity of consequences.
The consequences refer to what networks "you worry about most," said Spaulding, while speaking at an event in Washington last week. Consequences and their severity shape how the U.S. will look at cyber deterrence.
In an attempt to achieve a "rigorous, codified and routinely exercised process" of identifying critical infrastructure at risk, according to the report. However, existing laws and regulations that aren't as accommodating to public-private-sector collaboration, said Fanning. But industry knows where critical infrastructure is, and therefore the risk, better than the government in some cases.
The five-year cycle, established by the executive branch, will provide a risk assessment. The findings should afford "pragmatic and budgetary priorities" from the National Cybersecurity Assistance Fund to entities — in the public and private sector — to minimize risk.