The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent “a 9/11-level cyber-attack” against the U.S. critical infrastructure.
The purpose of NIAC is to advise the President on the cybersecurity of critical services, such as banking, finance, energy and transportation. The Council was created in 2001 by President Bush’s executive order 13231, and its functioning was extended until September 2017 by Obama’s 2015 executive order 13708. It can comprise up to 30 members chosen by the President.
The new report makes 11 recommendations to improve the security of the critical infrastructure. Overall, it presents a damning indictment on U.S. readiness. “We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber-attacks — provided they are properly organized, harnessed, and focused. Today, we’re falling short.”
There is an intriguing back-drop to this report — on the day before its publication, seven of the existing 27 members resigned. Resignations among President Trump’s advisors are common, with causes ranging from the political (such as Tesla’s Elon Musk and Disney’s Robert Iger resigning from Trump’s business panel over the withdrawal from the Paris climate accord), and ‘cultural’ (such as those who left the Manufacturing Jobs Initiative and the Strategic and Policy Forum over the President’s Charlottesville comments).
In their NIAC resignation letter (seen by Roll Call), the Paris accord and Charlottesville were again mentioned, together with the President’s ‘attacks’ on CEOs who do resign from his advisory panels. However, the letter also noted the President’s “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend…” It is not clear whether and to what extent — if any — these resignations relate to the President and NIAC.
That said, the NIAC report has been received by the industry with little enthusiasm and much reservation. For example, Patrick Coyle (owner and author of Chemical Facility Security News) questions the validity of the 9/11 reference. He simply does not believe that the main threat is “the grand cyber-attack; the infamous cyber pearl harbor.” A grand attack, he told SecurityWeek, will require a grand response; “a kinetic response that few would be willing to risk.”
Coyle believes that the more likely threat “would be a number of smaller attacks that weakened the economy and reduced the will of the American people to resist. Such attacks would be much less likely to garner a kinetic response, so the risk to the attacker would be much less.”
Sqrrl director Matt Zanderigo, calls it a “good report with solid, actionable recommendations;” but adds that many of the recommendations are not new. “This is less an issue of strategy and more about execution,” he told SecurityWeek. “It is good to see that the final recommendation is focused on tracking activity and performance against these recommendations, as I think that will be key and should be done as transparently and publicly as possible.”
But there remains a potentially fatal flaw: NIAC’s recommendations are all voluntary, albeit with incentives. “The problem with voluntary measures and incentives for critical infrastructure owners,” he said, “is that the national consequences of a cyber attack on certain key pieces of critical infrastructure far outweigh the local impacts for that owner/operator. This mismatch between local risk and national risk for cyber-attacks on critical infrastructure is the type of market inefficiency that is typically best filled by regulation.”
The lack of innovative ideas also concerns Chris Roberts, chief security architect at Acalvio. “Frankly, eleven key recommendations are about five too many,” he said. “Let’s face it, we’ve all been screaming about critical infrastructure for years, keeping the message very simple — and this 45-page report comes out, says the same thing and then, heaven forbid, puts the remit for action into the governments hands.”
He has more specific concerns. Recommendation #3 states, “Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis;” and then calls for action from the National Security Council, the Department of Homeland Security, and Congress.
Roberts’ opinion is scathing. “Seriously, we are going to let Congress work out what scanning tools we should use? What idiot came up with that one?”
Perhaps the biggest disappointment is over critical infrastructure threat intelligence sharing. Recommendation #2 calls for a private-sector-led pilot “to test public-private and company-to-company information sharing of cyber threats at network speed.” This would be augmented by Recommendation #7: “Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure.”
In short, private industry needs to share threat information among itself better than it does, while government needs to share its intelligence with private industry. On company-to-company sharing, Roberts comments, “Oh good, another feed for people to ignore, to not pay attention to, or too little information too late for anyone to be able to do anything with.”
Nor does he believe that government sharing will come to much. “Telling the DOE, DHS, ODNI and SICC to work with separating communications is going to be interesting especially as most of them, honestly, can’t communicate effectively today.”
Jason Kent, CTO at AsTech, believes these two recommendations should be treated as one. It’s not going to be easy. “When something about an adversary or attacker is learned, that becomes a carefully guarded secret.” Government agencies do not like sharing their secrets, while individual companies often dare not because of the complexity of existing legislation.
Kent’s recommendation would be to start with the government agencies since they can be more easily compelled than private industry. “Imagine if you could get all these guys to collaborate: DOE, DHA, ODNI, NSC, SICC. What is the conduit through which they should speak? We don’t currently have a way for them to share threat intel. Obviously an impartial 3rd party is needed to facilitate the communication, but how do we create one with nothing like this built today?”
His solution would be a national cyber security council “that basically takes threat data from our nation’s various infrastructures, combined with feeds from private organizations, that is consumed and analyzed for patterns and risks… True security,” he says, “comes from the security of all, not the one. We need to change our focus from protecting one asset at a time to protecting all assets at risk.” To solve this, he proposes a new third-party organization that is trusted by both public and private organizations able to share solutions rather than just threats.
The overriding problem with the NIAC report is the perception that it repeats known problems and proposes new studies without offering realistic solutions. In summary, a common feeling within the industry is that the NIAC report is too complicated, says little that is new, and provides voluntary recommendations that will likely be ignored for the same good business reasons that are already being ignored.