The U.S. government and private sector need to be planning now for a cascading cyberattack on critical infrastructure by mapping out emergency authorities and supply-chain contingencies — lest they be caught off-guard during the real thing, a new study says.
If the public and private sector don’t begin developing specific procedures for mitigating a cross-sector cyberattack on the economy, “the United States will find itself flat-footed during a major cyber event,” says a report published Tuesday by the think tank Foundation for Defense of Democracies and consultancy The Chertoff Group.
The report is the output of a tabletop exercise that FDD held in October, the details of which were first reported by CyberScoop. That exercise considered a hypothetical, debilitating cyberattack on multiple sectors of the U.S. economy. Former national security and law enforcement officials, along with executives from the banking, electricity, and retail sectors, discussed how the U.S. government and industry might respond to the security crisis. They told each other what the missing links are — in terms of authorities and collaboration — in defending against such an attack.
U.S. critical infrastructure operators and national security officials already plan for emergencies, but the point of the exercise was to improve that planning.
Retired Gen. Michael Hayden, former head of the CIA and National Security Agency, said he came away from the exercise convinced that “there is a need to review and reshape the specific division of labor and responsibility between government and private sector in addressing cyber-enabled economic warfare events, as the status quo has been outmoded.”
Participants were specific in identifying how that status quo is outdated. They found a shortage of private-sector security clearances, that industry’s most critical systems weren’t well defined, and that they differed on the value of attributing cyberattacks to foreign actors, among other issues.
Defining those critical systems would allow the intelligence community to “collect and provide more targeted, and therefore more useful, information on how cyber actors could try to compromise these systems,” the report states. The Department of Homeland Security last year set up a National Risk Management Center for the explicit purpose of identifying risk to those “critical functions” that underpin national and economic security.
The U.S. government has made a point of publicly blaming other governments for hacking operations. However, some of the exercise’s private-sector participants said the perpetrator’s identity wasn’t important so long as they had malware indicators to mitigate an attack. They called on the government to better articulate “how information from private-sector organizations advances the government’s ability to attribute attacks and why this attribution serves the interests of the private sector,” the report says.
The study embraces the vigilant mentality adopted by first-responders to an emergency. In an interconnected world, plan for every contingency and consider every possible point of failure, the thinking goes.
“The robust continuity of our economy may hinge on ensuring that the right resources, data, technology, and personnel flow smoothly to assist affected sectors in the aftermath of such a catastrophic event,” said the FDD’s Samantha Ravich, a former national security adviser to Vice President Dick Cheney.
For Ravich and the report’s other authors, that means potentially rationing critical computing capacity in a crisis. Washington must “consider a national technology reserve for long-lead-time components in the supply chain and a secure cloud for critical infrastructure data as a way to ensure the continuity of the economy,” they write.
The cyberattack in the scenario came through an supply chain infection, and participants found there was “an urgent need for a much more comprehensive effort to ensure resiliency given supply chain interdependencies.”
The FDD-Chertoff Group report also hit on a familiar theme in public-private cybersecurity efforts: the information-sharing regime isn’t getting the job done. “Relatively few companies outside select sectors are proactively sharing cybersecurity threat information with federal entities,” the FDD report concludes.