This is the the draft executive summary of NIAC's "Securing Cyber Assets": Addressing Urgent Cyber Threats to Critical Infrastructure

Executive Summary: Imperative Takeaways

Our review of hundreds of studies and interviews with 38 cyber and industry experts revealed an echo chamber, loudly reverberating what needs to be done to secure critical U.S. infrastructure against aggressive and targeted cyber attacks. Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure. When a cyber attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities.

Our Assessment

The National Security Council (NSC) tasked the President’s National Infrastructure Advisory Council (NIAC) with examining how Federal authorities and capabilities can best be applied to support cybersecurity of high-risk assets. We reviewed a comprehensive dataset of more than 140 Federal capabilities and authorities, demonstrating impressive depth and complexity of Federal resources. We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and
resources needed to defend critical private systems from aggressive cyber attacks—provided they are properly organized, harnessed, and focused. Today, we’re falling short.

Recommendations

The challenges the NIAC identified are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions:

  1. Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
    ACTION REQUIRED BY: U.S. Department of Energy (DOE), U.S. Department of Homeland Security (DHS), Office of the Director of National Intelligence (ODNI), NSC, and the Strategic Infrastructure Coordinating Council (SICC) (Electricity, Financial Services, and Communications)

  2. FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES, led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.
    ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC

  3. Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
    ACTION REQUIRED BY: NSC, DHS, and Congress

  4. Strengthen the capabilities of TODAY’S CYBER WORKFORCE by sponsoring a public-private expert exchange program.
    ACTION REQUIRED BY: NSC, DHS, and Congress NIAC

  5. Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
    ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC

  6. Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
    ACTION REQUIRED BY: DHS, ODNI, NSC, Federal Bureau of Investigation (FBI), Office of Personnel Management, and all agencies that issue/sponsor clearances

  7. Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber attacks.
    ACTION REQUIRED BY: NSC, DHS, ODNI, FBI, and the Intelligence Community

  8. PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES
    led by the executives who can direct priorities and marshal resources—to take decisive action on the nation’s top cyber needs with the speed and agility required by escalating cyber threats.
    ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, the SICC, the Department of Defense (DOD), Treasury, and Department of Justice (DOJ)

  9. USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE NOVEMBER 2017 TO TEST the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government’s unclear response actions.
    ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC

  10. Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across Federal agencies.
    ACTION REQUIRED BY: DHS, ODNI, NSC, DOJ, and DOD

  11. Task the National Security Advisor to review the recommendations included in this report and withinsix months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate next steps to move forward.
    ACTION REQUIRED BY: National Security Advisor

The time to act is now. As a Nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.Our Nation needs direction and leadership to dramatically reduce cyber risks. The NIAC stands ready to continue to support the President in this area.