The President’s National Infrastructure Advisory Council (NIAC) recommended “urgent and comprehensive action” on cyber threats to critical infrastructure in a draft of its Dec. 12 memo to the White House.
“Escalating cyber risks to America’s critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security,” an introduction letter from the council to President Trump states. “Bold action is needed to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures.”
The memo outlined nine recommendations to make cyber intelligence actionable, protect critical systems, modernize legal authorities, and secure the supply chain:
- Establish the Critical Infrastructure Command Center (CICC) to improve data sharing and processing between government actors;
- Direct the intelligence community to prioritize efforts to spread information on critical infrastructure attacks;
- Conduct a briefing to CEOs of energy, communications, and financial services on the case for combatting cyber threats and operationalizing the CICC;
- Use the National Level Exercise 2020 to pilot CICC;
- Issue an executive order to establish the Federal Cybersecurity Commission (FCSC), an independent government entity that mitigates cyber risks to critical infrastructure;
- Convene a meeting between cabinet secretaries, regulators, Office of Management and Budget officials, CEOs, and industry personnel to clarify the roles, functions, and responsibilities of FCSC;
- Direct the Department of Justice to analyze the ability of the government to direct the private sector to implement cyber mitigations;
- Provide liability protection that allows blacklisting and whitelisting of critical cyber products; and
- Continue and expand the Department of Energy’s ability to test vendor equipment for cyber vulnerabilities.
NIAC recommended a two-track approach to implementation. The council calls for urgent action addressing near-term risks and a comprehensive, long-term solution centered around public-private partnership.
“America’s companies are fighting a cyber war against multi-billion-dollar nation-state cyber forces that they cannot win on their own. Incremental steps are no longer sufficient; bold approaches must be taken,” the council members wrote.
The draft report lists China, Russia, and Iran as potential nation-state cyber threats to the United States. NIAC predicts that the “window of opportunity to thwart a cyber 9-11 attack before it happens is closing quickly.”
NIAC asked the president to appoint a senior leader to oversee the implementation of its recommendations and requested a status update on its recommendations in the next three months. The report was commissioned by the National Security Council in September 2019 to better understand how public-private partnerships can mitigate cyber risks to critical infrastructure.