Analysis
OT Network security
Regulation, Standards and Compliance

NIAC says U.S. government too slow in addressing infrastructure cybersecurity threats

December 10, 2019
NIAC says U.S. government too slow in addressing

The President’s National Infrastructure Advisory Council (NIAC) calls for ‘bold action.’

This week, the President’s National Infrastructure Advisory Council released a draft of a memo on infrastructure cybersecurity. According to the memo, the United States is not sufficiently prepared to address existing cyber risks to critical infrastructure.

The memo is the result of a months long examination, prompted by the National Security Council, into how the federal government and private sector can work together to address the security of highly targeted private infrastructure. According to the NIAC’s findings, escalating cyber risks threaten the continuity of government, economic stability, social order, and national security.

“U.S. companies find themselves on the front lines of a cyber war they are ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure. Bold action is needed to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures,” the memo says. “The nation is not sufficiently organized to counter the aggressive tactics used by our adversaries to infiltrate, map, deny, disrupt, and destroy sensitive cyber systems in the private sector.”

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

In a report set to be released December 12, the NIAC says the government has failed to adequately address cyber threats to critical infrastructure. The report details a series of recommendations for steps the government can take to better aid the private sector currently fighting what the NIAC calls a “cyber war against multi-billion-dollar nation-state cyber forces.” The NIAC calls on the government to take “bold action” to address the growing threat.

Among the report’s recommendations is the creation of a Critical Infrastructure Command Center to enable real-time data sharing and processing between the public and private sector to allow for the development of actionable intelligence and threat mitigations. The CICC would involve a 24/7 watch floor where intelligence operatives and cybersecurity experts could monitor threats and take action when necessary to mitigate attacks.

The report also recommends the formation of a Federal Cybersecurity Commission tasked with mitigating catastrophic cyber risks to critical infrastructure. The FCSC would be an independent U.S. government entity that would serve as a bridge between the government and at risk companies in the energy, financial services, and communications sectors.

“Your leadership is needed to provide companies with the intelligence, resources, and legal protection necessary to win this war and avoid the dire consequences of losing it,” the memo says. “Establishing the CICC and FCSC will empower our nation to meet, engage, and thwart those who choose to target our critical infrastructure.”

The report also calls for direct action to improve supply chain cybersecurity. Hackers often target the supply chain in order to gain access to critical infrastructure, using malware and other tactics to compromise digital equipment.

In an effort to curb supply chain risk, the U.S. government passed the National Defense Authorization Act for Fiscal Year 2014, which gave the Secretary of Energy the authority to “use classified threat information to end contracts or eliminate companies from contract competitions without providing cause if it is based on classified information.” However, according to the report the Department of Energy has yet to use this authority.

In addition to utilizing the NDAA, the NIAC also advocates for expanding the DOE’s procurement authority. The report calls for the government to provide liability protection to allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure.

“Incremental cybersecurity improvements cannot keep pace with the rapid, asymmetric offensive strategies used by nation-states to infiltrate, map, and compromise the cyber networks of U.S. critical infrastructure,” the report says. “The past 20 years of well-meaning government efforts have shown that our national approach to securing the cyber assets of critical infrastructure are far less than optimal. Radical new approaches are needed that combine the extensive capabilities and resources of government and industry to protect private sector networks where failure could result in catastrophic impacts on public safety, economic stability, and national security.”

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
Senator Wyden introduces legislation to boost government collaboration technology security, interoperability
Senator Wyden introduces legislation to boost government collaboration technology security, interoperability
NSA information sheet focuses on enhancing data security and zero trust implementation
NSA information sheet focuses on enhancing data security and zero trust implementation