Introduction
Today’s cyber attacks are increasingly dangerous and targeted, designed by advanced actors to damage or disrupt critical U.S. infrastructure that deliver vital services—particularly electricity and financial services. Attackers can inflict damage on physical infrastructure by infiltrating the digital systems that control physical processes, damaging specialized equipment and disrupting vital services without a physical attack. As a nation-state cyber attack on U.S. infrastructure places private companies on the front line, this presents a national security challenge unlike any other. It is imperative that federal and private roles in defending these systems are aligned and mutually supportive.
The President’s National Infrastructure Advisory Council (NIAC) believes that the federal government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks—provided they are properly organized, harnessed, and focused. Today, we are falling short. Cyber capabilities and oversight are fragmented while roles and responsibilities remain unclear. We are simply not organized to keep up with the threat.
Fortunately, we find ourselves in a pre-9/11-level cyber moment, with a narrow and fleeting window of opportunity to coordinate our resources effectively. Our recommendations call on the Administration to use this moment of foresight to take bold, decisive actions—requiring the federal government to apply its collective authorities and capabilities in concert with the private sector.
Our Task
In support of Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, issued in May 2017, the National Security Council (NSC) tasked the NIAC to assess how existing federal authorities and capabilities could be employed to assist and better support the cybersecurity of critical infrastructure assets that are at greatest risk of a cyber attack that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. The NIAC formed a Working Group of nine members to complete this tasking.
Our Assessment
The Working Group was presented with a comprehensive dataset of more than 140 different federal capabilities and related authorities, encompassing multiple programs and stand-alone activities. While this dataset demonstrates the impressive depth of available federal capabilities, it also underscores the complexity of the federal structure and mechanisms that house these capabilities. We examined the top needs of high-risk industries today, then examined how existing federal authorities and capabilities can be best applied to address them.
We found that many outstanding federal capabilities play crucial roles in cyber defense and resilience today. However, their effectiveness is constrained in the following ways:
- Private sector knowledge of these capabilities and incentives to use them is limited.
- Access is hindered by multiple legal and administrative constraints.
- Government capabilities are scattered across a wide swath of agencies, departments, and their subunits—a complicated labyrinth comparatively few can effectively navigate.
- Classification of essential threat information can delay and hinder coordinated response.