During the early days of the Cold War, American planners wrestled with the emerging challenge of deterring a Soviet nuclear strike. Recognizing the destructive potential of nuclear weapons, the U.S. opted to focus its efforts on ensuring that adversaries clearly understood the U.S. capacity to retaliate and impose costs. Defense and resilience was a secondary priority. We did not, for example, build our subway systems hundreds of feet underground to double as fallout shelters, as the Soviets did. We relied heavily on the concept of mutually assured destruction to dissuade adversaries.
With the Cyberspace Solarium Commission, we have assessed that a strong offense does not convey the same deterrent in cyberspace as it does in nuclear or conventional war. While the ability to impose costs is important, a U.S. strategy to secure ourselves in cyberspace must prioritize defense, denying adversaries the opportunity and benefits brought by attacking us in this evolving domain. Core to that defensive effort is promoting national resilience—the capacity to withstand and quickly recover from attacks that could compel, deter, or otherwise shape U.S. behavior. In short, resilience ensures that critical functions and the full extent of U.S. economic and military power remain available in peacetime and are preserved in crisis.
We also recognize the preeminent role the private sector plays in the security and resilience of the United States. As over 85% of critical infrastructure is owned and operated by the private sector, resilience is and will continue to be a public-private endeavor. The added element of cyberspace makes this all the more relevant as private-sector innovation and technological development continue to make critical infrastructure more connected and interdependent. Any movement the U.S. government undertakes will be better informed and more effective with the involvement of the private sector. Any success will by necessity only be achieved by the U.S. government and the private sector working together to mitigate the risks that collectively affect us all.
In the course of our work, the commission has identified two areas where the government must mature, modernize, and bring critical infrastructure defense and resilience fully into the 21st century. First and foremost, the U.S. government and the private sector must work together to understand our collective risk and take steps to mitigate it. This means identifying how businesses or entire industry sectors depend on one another, assessing where these dependencies are concentrated, and instituting measures to prevent disruption if these high-risk areas are attacked. As the “National Risk Manager” for critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) has established a foundation to do this work, but the government must continue to mature and evolve this effort.
CISA, and the national risk management effort it leads, rely heavily on sector-specific agencies. Assigned to each of the 16 critical infrastructure sectors, these agencies or departments manage the day-to-day engagement with critical infrastructure within their sector. Some departments, such as the Department of Energy and Department of Treasury, have taken a leading role. Others have lagged behind, largely limited in funding and institutional support. This inconsistency introduces blind spots and weak links in the national effort to identify, assess, and manage risk. Congress should codify these sector-specific agencies into law, establishing baseline expectations, responsibilities, and funding in working with their sectors and contributing to the larger national risk management effort.
Secondly, the U.S. government must also be prepared for circumstances when cyberattacks are successful, and it must be able to take measures to rapidly respond and recover. While the U.S. government maintains robust processes to respond to disasters through continuity of operations (COOP), continuity of government (COG), and Federal Emergency Management Agency (FEMA) operations, there are noticeable gaps that must be addressed.
Since our economy is a core pillar of U.S. strength and a key deterrent to adversaries, the government must maintain processes to ensure the economy is continuously functioning in the face of disruption. The national flow of goods and services are the lifeblood of nearly every aspect of American life—our government, our military, our standard of living, our public health and safety, and our international standing. To ensure the U.S. government plans for and retains the capacity to ensure the continuous functioning of our economy, Congress should direct the executive branch to undertake Continuity of the Economy (COTE) planning, analyzing the interdependencies of National Critical Functions and key materials, prioritizing core functions for response and recovery, and identifying areas for investments in resilience and preservation of data.
The U.S. government must also maintain a capacity to aid in response and recovery from significant cyber incidents. Current mechanisms for cyber incident response do not fully empower federal agencies with the needed authorities, funding, or resources to respond to or aid non-federal entities, even when a “significant cyber incident” designation has been made. FEMA mechanisms may be available to aid response to and recovery from a cyber incident that approaches the level of a natural disaster, but few cyber incidents are likely to cross that threshold. The absence of such empowerment for incidents below the level of an emergency declaration remains a key check on the U.S. government’s ability to rapidly mobilize and scale support in response to a cyber incident of variable size.
To address this gap, Congress should codify the authority of the federal government to declare a “cyber state of distress” tied to a response-and-recovery fund. This designation and the associated fund would enable the federal government to assist state, local, tribal, territorial, and private sector entities beyond what is currently available through conventional technical assistance and cyber incident response programs. The declaration would be used for responding to or preparing for, cyber incidents whose significance is above “routine” but below what would trigger an emergency declaration. The recovery funds could be used to augment or scale up technical assistance and incident response efforts in support of public and private infrastructure.
The U.S. has a firm foundation for its resilience efforts. Many of the same processes and mechanisms that have served us well in planning for natural disasters and nuclear war, have laid the groundwork to tackle the key challenges we face today. But the U.S.’s success will ultimately depend on its ability to take risks, adapt, and apply old lessons to new problems and a new strategic context. We believe that the Cyberspace Solarium Commission has identified the key pieces that can set the U.S. back on the right path to promote national resilience. Now it is up to Congress and the broader U.S. government to take action, implement these recommendations, and secure the future of American power.
Representative Mike Gallagher is Co-Chairmen of the Cyberspace Solarium Commission and represents the 8th District of Wisconsin in the U.S. House of Representatives.
Samantha F. Ravich is a Commissioner on the Cyberspace Solarium Commission and the Chair of the Center for Cyber and Technology Innovation at the Foundation for the Defense of Democracies.