Biden’s PCAST body sets up Working Group to work on cyber-physical resilience, strengthen critical infrastructure

The President’s Council of Advisors on Science and Technology (PCAST) announced last week the establishment of a working group on cyber-physical resilience to bring together consulting experts from across the public and private sectors and academia. The working group will consist of several PCAST members and other experts, who will work towards building reliance across critical infrastructures.

“Over approximately the next six months, the group will be consulting numerous organizations and experts to formulate recommendations to the president. Our engagement will include leads on cyber-resilience at organizations like NIST, MITRE, DARPA, and DHS,” the Working Group co-leads and members, wrote in a White House blog post. The current Working Group co-leads are Eric Horvitz and Phil Venables, while the Working Group members are Jon Levin, Bill Press, Vicki Sato, Lisa Su, and Kathy Sullivan. 

The PCAST is the sole body of advisors from outside the federal government charged with making science, technology, and innovation policy recommendations to the President and the White House. Established by Executive Order, it is an independent Federal Advisory Committee composed of individuals from industry, academia, and non-profit organizations with a range of perspectives and expertise. PCAST also develops evidence-based recommendations for the President on matters involving science, technology, and innovation policy, as well as on matters involving scientific and technological information. 

The PCAST body consists of 30 members, including 20 elected members of the National Academies of Sciences, Engineering and Medicine, four MacArthur ‘Genius’ Fellows, two former Cabinet secretaries, and two Nobel laureates. Its members include experts in astrophysics and agriculture, biochemistry and computer engineering, ecology and entrepreneurship, immunology and nanotechnology, neuroscience and national security, social science and cybersecurity, and more.

The latest post recognizes “that people from many different areas, more than we can possibly directly consult, may have valuable perspectives to contribute to this work. So, we are inviting submissions into our deliberation. These could take the form of new ideas, existing ideas, methods, or projects you think could advance our cyber-physical resilience. It could even take the form of removing or adjusting existing practices that are decreasing our natural resilience. We would appreciate the submissions to be concise and not proprietary or otherwise inappropriate for public disclosure,” it added.

In the wake of the prevailing threat landscape, the blog post addressed that “we need a different approach, not just to defend ourselves from cyber-attacks and failures, but to presume that attacks will always get through and that failures of components are unavoidable. We need to be resilient in the face of attacks and failures so we can withstand or recover quickly. This needs a fundamental re-imagining based on taking a holistic, systems-thinking approach.”

The PCAST body called for potential highly actionable recommendations on recovery and survivability in the face of attacks and events, approaches to assure continuity of operations in degraded states, and mechanisms to measure and assess modularity and limitations of scope or costliness of failures. It also seeks detail on incentives to balance efficiency which can reduce resilience vs. the investment needed to maintain sufficient resilience.

Furthermore, the post invited opinions on out-of-band or systems-independent means of assuring physical control in the event of digital failures, and methodologies and standards to encourage resilient systems design and adoption.

The post comes in the wake of increased digitization, coupled with rising challenges with the resilience of increasingly interconnected digital and physical systems across businesses, public services, critical infrastructure, and government institutions. The tightly coupled inter-dependencies among physical and digital components in systems can lead to high levels of ‘brittleness,’ when even minor disruptions lead to wide-scale and unpredictable effects.

“The digitization of all aspects of society has made us all dependent on complex and often fragile cyber-physical systems that can easily break down or suffer from cyber-attacks, software glitches, supply chain problems, mechanical failures, natural disasters, or other disruptions,” the post assesses. “These breakdowns or attacks can have serious and unpredictable consequences for many sectors, such as banking, energy, transportation, and health care.”

It took into account that events or attacks in one part of one system can have ripple effects leading to banking outages, oil pipeline failures, ground-stops of whole fleets of aircraft, and disruption of medical facilities with devastating outcomes, to name just a few possibilities. “In each situation, the common response to failures or rising concerns is often to try and make specific components more reliable, better defended, and more tightly regulated in the hope that system-wide resilience improves.”

Earlier this month, the U.S. administration released its National Cybersecurity Strategy to reimage cyberspace, and shift the cybersecurity burden to technology providers. The document imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure with an enhanced governmental role in upsetting hackers and state-sponsored entities, recognizing that new and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.