A draft of the National Infrastructure Advisory Council (NIAC) Cyber Working Group report on securing the nation’s critical infrastructure has found that while the U.S. has the capabilities to defend against cyber attacks, it lacks the coordination to do so effectively.

“Based on all this work we believe–and this to me is an astounding statement to be able to make–we believe that the U.S. government and the private sectors together have the capabilities needed to defend critical private systems from aggressive cyber attacks,” said Robert Carr, Cyber Working Group co-chair. “But today we are not organized or coordinated in a way that allows us to apply these resources effectively. Cyber capabilities and oversight are fragmented, and private sector and government roles and responsibilities remain unclear.”

The NIAC was created by an executive order in October 2001, and is tasked with providing the President, through the Secretary of Homeland Security, with advice on the security and resilience of U.S. critical infrastructure. The report includes 11 recommendations for improving the cybersecurity of that infrastructure:

  1. Establish separate, secure communications networks specifically designated for the most critical cyber networks
  2. Facilitate a private sector-led pilot of machine-to-machine information sharing technologies
  3. Identify best-in-class scanning tools and assessment practices
  4. Strengthen the capabilities of today’s cyber workforce by sponsoring a public-private expert exchange program
  5. Establish limited-time, outcome-based market incentives to encourage owners and operators to upgrade cyber infrastructure
  6. Streamline and expedite the security clearance process
  7. Establish clear protocols to rapidly declassify cyber threat information
  8. Pilot an operational task force of experts in government and the electricity, finance, and communications industries
  9. Use the national-level GridEx IV exercise (a NERC developed cyber simulation) to test the execution of Federal authorities and capabilities during a cyber incident
  10. Establish an optimum cybersecurity governance approach to direct and coordinate the nation’s cyber defense
  11. Task the National Security Adviser to review the recommendations and, within six months, convene a meeting of senior government officials to identify barriers and immediate steps

“We recommend that overall accountability for implementation of all recommendations should rest with the President’s National Security Adviser,” said Mike Wallace, Cyber Working Group co-chair. “Achieving the level of coordination required to act on these recommendations will not be easy, and that is why several of our recommendations involve piloting innovative solutions with the most critical sectors where urgency is high and senior leadership are already engaged.”

According to Rob Joyce, cybersecurity coordinator in the Executive Office of the President, the administration supports the importance of such cyber initiatives, and Joyce called the NIAC’s mission “some of the most important work we’re going to do.”

“I think we’ve made a lot of progress over the past five or six years,” said Robert Kolasky, acting deputy under secretary for the National Protection and Programs Directorate, citing the NIST Cybersecurity Framework, work with private sector, coordination for Federal cyber roles as advancements in this space. “Despite progress that’s being made, there’s still a gap out there, and maybe some of the things we’ve done aren’t enough and it’s time for the community, senior level, government, industry–get congress involved, get some of our best thinkers involved–to see where there are areas where the policy direction we’ve been on isn’t enough.”

According to Constance H. Lau, NIAC chair, cybersecurity has long been a concern of critical infrastructure owners and operators.

“I think in all prior NIAC studies we have been hearing from owners and operators of our critical infrastructure how important the cyber issues are, and it has been a continuing crying need for assistance in those areas,” said Lau. “And so this report does provide recommendations on how the Federal government could assist owners and operators of critical infrastructure in cyber issues.”

“Unequivocally there has been none as intense as this one,” agreed Wallace. “There’s urgency recognized by everyone at the highest levels, in the Federal government and in the private sector. The time to act is now. Our nation needs direction and leadership to dramatically reduce cyber risks and the NIAC stands ready to support the President in this area.”

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.