The U.S. needs special communications networks for its most critical industries, including physically separate fiber systems and spectrum reserved for them to use in an emergency, an industry advisory committee recommended in a report Tuesday.
“We find ourselves in a pre-9/11-level cyber moment, with a narrow and fleeting window of opportunity to coordinate our resources effectively” before a major attack, states the report, which was adopted Tuesday by the National Infrastructure Advisory Council. The report was mandated in President Donald Trump’s recent executive order on cybersecurity.
As the report notes, “Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure,” and the council — made up mostly of current or former business executives, with a few former government officials thrown in — is designed to help bring to government deliberations the perspective of those private companies that run vital businesses like banks, telecommunications and electricity generation.
Some power companies are already moving their operational systems to specially segregated networks which they own, David Nicol, director of the Critical Infrastructure Resilience Institute at the University of Illinois told CyberScoop.
“You can see why they they would want a network that nobody else is fussing with,” said Nicol. Large-scale distributed denial of service attacks, for instance” even if you’re not the target … it’s altogether too easy to chew up the bandwidth” and block communications on a shared network.
“It’s not going to be panacea,” he warned, noting that even air-gapped networks, like the U.S. military’s SIPRNet, did not enjoy perfect security.
Nonetheless, “Isolating these networks can significantly limit access points, giving operators fewer digital gates to guard,” notes the report.
Other recommendations in Tuesday’s report include:
- The piloting by the private sector of the machine-speed automated information-sharing techniques pioneered by the Department of Homeland Security’s Automated Indicator Sharing program
- A voluntary, cost-shared network vulnerability scanning and assessment program that provides onsite tools and expertise to help companies in vital industries test and sanitize their systems for malware using best-in-class tools
- Limited-time market-based incentives for companies in vital industries to upgrade their cybersecurity tools and adopt industry best practices
- The government must streamline and expedite both security clearances for key personnel in vital industries; and build new secure facilities — called SCIFs — in which classified information can be received and stored, so that all cleared executives are no more than an hour away from one
- More and faster declassification of cyber threat information; and the expansion of DHS’s National Cybersecurity and Communications Integration Center
- Use the biennial national emergency exercise called GridEx to test and practice the detailed division of government duties during a major cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the federal government’s response actions where they are unclear
- Establish a CEO-level Strategic Infrastructure Coordinating Council to meet quarterly
The two-dozen council members debated the recommendations with administration officials from the White House, DHS and other agencies.
“Having that understanding from the folks that do own and operate the vast majority of our critical infrastructure is invaluable,” said White House Cybersecurity Coordinator Rob Joyce. Agreeing with council members that many of the recommendations would be familiar to anyone who had studied the field, he added “But this [report] brings it together in a tight, well-organized, well-packaged way forward.”
Referencing the SICC, Joyce noted that, “the passion of the electricity community, the power community to join in at the CEO level” was well-known.
But, he added: “Some of the other communities have not had that willingness, especially the telecommunications [sector]. They just aren’t willing to commit their CEOs on a quarterly basis to make meetings.”
Michael Wallace, former vice chairman and COO, of Constellation Energy, explained that CEO engagement was generally a function of who they were engaging with and what was under discussion. He said that with the recommendations the council was putting forward, CEOs would feel bound to participate.
“To be blunt, there’s so much at stake for the executives … in what we put on the table that I would find it hard to believe that they would not want to be involved,” Wallace said.
“When the government side — senior officials on the government side — [are] willing to come to the table, that also attracts the CEO’s,” added council Chairwoman Constance Lau, the president and CEO of Hawaiian Electric Industries, Inc.
Currently, members noted there were three major barriers to information sharing and other forms of cyber defense cooperation.
“Among the barriers that came up over and over and over again: Legal issues, liability issues, privacy issues. None of those should be a surprise,” said Wallace.
To get rid of those barriers, he added, “Congressional action may well be needed … There’s well intended people in the private sector who want to do the right thing, but our system does not allow the right thing to be done.”