Current federal efforts to help mitigate threats against privately operated critical infrastructure fall short, according to a National Infrastructure Advisory Council report.
Federal agencies aren’t sufficiently exercising authorities—even when they have them—to inform critical private-sector entities of vulnerable supply chain elements and other threats to their organizations, according to the president’s National Infrastructure Advisory Council.
The council approved a report Thursday making a case for a new entity where public- and private-sector partners would share a 24/7 watch floor, intelligence about threats, and mitigation measures in real-time. The authors state such an entity—called the Critical Infrastructure Command Center—could facilitate information sharing in a way a series of laws and recent executive orders have not.
If that sounds familiar, it’s because aspects of a preceding December 2019 NIAC report made it into recommendations of the congressionally mandated Cyberspace Solarium Commission in March. A key congressional aide working to include the commission's recommendations into the final National Defense Authorization Act said supporters simply ran out of time trying to attach provisions for a similar joint collaborative environment.
In addition to the new command center, the earlier NIAC report calls for a Federal Cybersecurity Commission that would be dedicated to helping private-sector entities defend against cyber threats. Companies would be protected from liabilities that might otherwise come from disclosing information about breaches.
At the command center, which would feed into the new commission, proactive cybersecurity measures would benefit from corporate data and government intelligence.
“The Intelligence Community identifies and evaluates threats to critical infrastructure,” reads the December report describing how the system would work. “Private company experts provide valuable technical insights to federal partners regarding the implications of the threats for company operations and validate the threats for private industry. Company representatives also have access to their corporate cyber data and can provide real-time coordination and responses to federal representatives, providing a strong value proposition for both public and private partners.”
The NIAC noted that while it would take time and congressional action to fully implement the new commission, the CICC could be stood up more quickly with existing authorities. The report approved Thursday was the result of a National Security Council request for more details for how to put it into action and to highlight the existing versus outstanding authorities involved.
Obliging, the NIAC report noted where recent executive orders, including one that would ban private-sector entities from using information and communications technology from foreign adversaries, fell short.
“Executive Order 13873 could have served as authority to help federal government assist private sector telecommunications entities in developing threat intelligence, but Department of Commerce has not promulgated final rules to implement this executive order,” the report reads.
A similar Trump administration order called specifically for the power sector to exclude technologies from foreign adversaries.
“Executive Order 13920 is motivated by concern with Huawei and ZTE components in the bulk power system and focuses on remediating that immediate concern through identification of criteria rather than on promoting innovative technologies per se,” NIAC wrote.
The council’s report also took issue with the Federal Communications Commission’s implementation of the Secure and Trusted Communications Networks Act, which calls for the FCC to come up with a list of acceptable technology to replace Huawei and ZTE equipment in smaller rural networks.
“The FCC has sought not to drive the process of identifying equipment but to seek feedback from industry through the rulemaking process to do so,” the NIAC said, adding, again, this is only related to communications equipment.
Meanwhile, the Federal Acquisition Security Council, established by the SECURE Technology Act, NIAC points out, is only aimed at the government and doesn’t reach the private sector.
The group, which is made up of leaders of private-sector critical infrastructure as well current and former federal and state authorities, also pointed out regional public-private collaboration efforts along the lines of what they would like to see.
They argue there is currently nothing like the CICC, which could—on a national scale, across the most highly critical infrastructure sectors—help with the development of blacklists and whitelists of technology based on threat intelligence, and inform a more comprehensive approach to cybersecurity.