The president’s National Infrastructure Advisory Council warned Donald Trump in a draft report this week that cyber threats need to be confronted with dire urgency, considering the grave risks posed to society’s most critical sectors from bad actors including Russia, China and Iran and the inability of private industry to fend off sophisticated attacks on their own.
The NIAC, composed of state and local government officials and industry representatives, was asked by the National Security Council on Sept. 5 to examine how the federal government and private industry could better tackle cyber risks to sensitive private infrastructure.
With bold-faced font, the NIAC warned Trump that “escalating cyber risks to America’s critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security.”
“U.S. companies find themselves on the front lines of a cyber war they are ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure,” said the letter accompanying the draft report, before launching into bold-faced text again: “Bold action is needed to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures.”
“The nation is not sufficiently organized to counter the aggressive tactics used by our adversaries to infiltrate, map, deny, disrupt, and destroy sensitive cyber systems in the private sector.”
The NIAC recommends the establishment of a Critical Infrastructure Command Center to better facilitate information sharing and testing the new center’s framework during National Level Exercise 2020, raising cyber threats on critical infrastructure to a Priority 1 topic within the National Intelligence Priorities Framework, and holding a one-day Top Secret/Sensitive Compartmented Information (TS/SCI) briefing for CEOs in certain targeted sectors with the hope of spurring more urgent corporate action.
The recommendations also include the creation via executive order of the Federal Cybersecurity Commission, and calling together a symposium of agency and industry reps to lay out the roles and responsibilities of the new commission. The Justice Department would also be told to “analyze existing legal authorities to determine the ability of government to direct the private sector to implement cyber mitigations and to identify legal barriers that prevent the private sector from implementing requested mitigations and sharing information with the government.”
The NIAC further recommends that liability protection be provided “to allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure” similar to nuclear industry and Energy Department authorities, and expanding programs to independently test vendor equipment and report vulnerabilities back to industry.
The signatories — NIAC Chair Constance Lau, president and CEO of Hawaiian Electric Industries, Inc.; NIAC Vice Chair Beverly Scott, CEO of Beverly Scott Associates, LLC; and working group members former Vice Chairman and COO of Constellation Energy Michael J. Wallace, President and CEO of Berkshire Hathaway Energy William J. Fehrman, AIG CISO J. Rich Baich, and former National Security Agency Deputy Director Richard H. Ledgett, Jr. — warned Trump that “America’s companies are fighting a cyber war against multi-billion-dollar nation-state cyber forces that they cannot win on their own.”
“Incremental steps are no longer sufficient; bold approaches must be taken,” they added. “Your leadership is needed to provide companies with the intelligence, resources, and legal protection necessary to win this war and avoid the dire consequences of losing it.”
The draft report cites the intelligence community’s 2019 Worldwide Threat Assessment in outlining the “ominous picture” of critical infrastructure threats from China, Russia and Iran. “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage,” the report warns.
“Recent cyber attacks demonstrate growing capabilities for adversaries to disrupt critical infrastructure from thousands of miles away. These include the cyber attack on a nuclear plant in India in September 2019, a March 2019 denial of-service attack on wind and solar generating facilities in the United States, the breach of a U.S. nuclear power plant’s network in 2017, the 2017 NotPetya attack that affected systems in multiple sectors throughout the world, and the 2015 and 2016 cyber attacks on Ukraine’s electric grid.”
NIAC further warns — again, in bold for emphasis — that “our window of opportunity to thwart a cyber 9-11 attack before it happens is closing quickly.”
The working group, which advocates a two-track approach based on a sense of “urgent action” and a “comprehensive solution” anchored in an “executive-driven public-private partnership,” said Trump “should immediately appoint a senior leader to oversee the implementation of recommendations in this report.”
NIAC, which will discuss the report Thursday along with DHS Cybersecurity and Infrastructure Security Agency Director Chris Krebs, asked that the council receive a status update within three months on the implementation of their recommendations.
“Escalating cyber risks to America’s critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security,” the NIAC emphasized. “WE NEED TO ACT NOW.”