Unless government and private sector decision makers begin developing cyber-enabled economic warfare (CEEW) -specific procedures and trust now, the United States will find itself flat-footed during a major cyber event.
That’s the conclusion of a report released Tuesday by the Foundation for Defense of Democracies and The Chertoff Group consultancy.
In October 2018, the groups held a tabletop exercise on what would happen after a CEEW event.
Such a strike could cripple the country’s economy and infrastructure. The impacts could be severe, affecting food supplies, healthcare and financial services, possibly sparking a public panic, the report said.
The exercise involved former government officials from the CIA, NSA and FBI, as well as a dozen top executives from industries including energy, finance, technology and manufacturing.
One of the key issues in the whole exercise, is something that has been ongoing for years: Can each side trust one another?
One key finding that came out of the report is there is disagreement about the importance of attribution of attacks and the relevance of private sector data to attribution. Notwithstanding advances in legal safeguards, challenges, and misunderstandings also persist regarding protections that enable the private sector to share information with the U.S. government.
One idea is to start plans that would help industries to anticipate how such an attack would affect their operations and what government resources are available.
Some recommendations for the first key finding are:
1. Washington should undertake a more broad-based public awareness campaign to educate the citizenry – focusing specifically on executives at large – and sector-significant companies on the importance of the private sector’s role in helping to safeguard the nation during a national cyber emergency.
2. Washington should educate the private sector on data types most needed to attribute and disrupt CEEW attacks.
3. Industry should collaborate on a unified approach to strategic early warning of attacks on important infrastructure underpinning critical lifeline sectors.
4. The U.S. government should “pre-clear” a population from the private sector whose clearances could be activated for timely and sensitive information sharing as needed.
5. Private sector entities should engage in focused discussions that weigh the relative sensitivity of information categories potentially requested by the U.S. government so they can be prepared to respond to U.S. government requests or demands in crisis conditions.
6. The U.S. government and private sector entities (or relevant ISAOs) should establish a requirements definition process that enables private sector organizations across multiple industries to proactively define key information collection and analysis needs.
7. Industry information-sharing organizations, including ISAOs, should also consider requiring their companies to contribute threat information as a condition of membership.
A second key finding is the U.S. government possesses response functions, emergency authorities, and powers that can be invoked during a significant cyber event, but the practical implications during severe cyberattack conditions remain unclear. It is critical to build and sustain resilient enterprises now to mitigate future catastrophic impacts.
1. To better understand interdependencies across sectors, the White House and Congress should properly resource and fund the Department of Homeland Security’s National Risk Management Center, which identifies national critical functions and associated interrelationships and dependencies.
2. The U.S. government should also develop resource prioritization and allocation plans pursuant to Executive Order 13636, which directs the Department of Homeland Security to create a list of entities upon which a successful cyberattack would likely have catastrophic consequences.
3. The U.S. government should assess the best mechanisms for a national technology reserve for critical long-lead-time components in the supply chain.
4. Washington should incentivize commercial entities to develop capabilities to anticipate, withstand, contain, and rapidly recover from a significant cyber event.
5. The U.S. government should begin developing strategies to create a Continuity of the Economy plan and assess the costs and benefits of creating a secure cloud for critical infrastructure data.
6. Washington should evaluate existing authorities that mandate the private sector engage in immediate patching and related defensive and containment measures, recognizing that new authorities may be needed.
7. Private companies should conduct comprehensive business impact analyses on critical business functions and the applications, data, and other IT assets that support those functions. They should also ensure that business continuity and disaster recovery plans feature recovery time objectives as well as redundancies and work-arounds to sustain critical operations.
8. ISAOs should work with their members to enhance software supply chain visibility to reduce the risk of subversion and compromise. Mitigation initiatives could include software transparency, a secure systems development life cycle (SDLC), more vigilant third-party due diligence, and continuous monitoring.
9. The government and private sector should also consider how a mature cyber insurance market (with better actuarial data and mechanisms to measure an organization’s resilience) could help advance private sector resilience.
Click here for additional details on the report.