On August 22, 2017, the President’s National Infrastructure Advisory Council (“NIAC”) issued a Report on securing critical U.S. infrastructure against cyber-attacks. The Report states that the U.S. is underprepared for the urgent threat it faces, noting that while the country is in a “pre-9/11-level cyber moment,” there is only a “narrow and fleeting window of opportunity to coordinate our resources effectively. ” The Report lays out a number of recommendations and focuses on coordination between the federal government and the private sector.
NIAC was established in October 2001 by President George W. Bush to advise the President on security and resilience of critical infrastructures, including physical assets and cyber networks. The Council is composed of executives from industry, academia, and state and local governments. NIAC created the Report in response to President Trump’s May 2017 Executive Order entitled: “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. ” King & Spalding previously reported on the President’s Executive Order here.
The Report notes that private companies are on the “front line” in the event of a cyber-attack on U.S. infrastructure. In addition, NIAC argues that the nation’s cybersecurity capabilities are fragmented, with unclear roles and responsibilities. Nonetheless, the Report states that the government and private sector have “tremendous cyber capabilities and resources” to defend against cyber-attacks. As such, the Report’s recommendations focus on how the government can work with the private sector.
The Report makes 11 recommendations, noting that they “reflect a strong consensus on what must be done next. ” Among the key recommendations for the President are to:
Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies. The Report recommends that such a pilot be led by the electricity and financial services sectors, and would allow parties to identify state-of-the-art technologies for information sharing and to work out any issues with such sharing.
Sponsor a public-private expert exchange program to strengthen the capabilities of the nation’s cyber workforce. As part of this recommendation, the Report also recommends expanding scholarship and internship programs to attract qualified employees to the field.
Establish limited time, outcome-based market incentives to encourage the private sector to upgrade cyber infrastructure. These incentives could include tax credits, regulatory relief from audit and reporting requirements when industry standards are implemented, and grant or investment programs to fund upgrades or security investments.
Create protocols to rapidly declassify cyber threat information. Declassification would allow governmental authorities to proactively share such information with the private owners and operators of critical infrastructure.
Pilot a task force of experts in government and in the electricity, finance, and communications industries. The Report recommends creating a three-tiered task force with (1) senior executives in industry and government with the authority to set priorities and direct resources, (2) operational leaders who work the issues and implement strategic direction, and (3) dedicated full-time operational staff from both industry and government that dig in and solve complex issues.
Establish an improved cybersecurity governance model to direct and coordinate cyber defense. The Report specifically points to “innovative” governance models now in use in Israel and the United Kingdom, both of which created new offices to handle cybersecurity. For example, the UK opened its National Cyber Security Centre in February 2017 as a central body to manage cybersecurity incidents and act as a hub for interagency cooperation. (King & Spalding previously reported on the NCSC here).
The NIAC Report is available here.