New Critical Infrastructure Security Recommendations from NIAC

A White House advisory group, The President’s National Infrastructure Advisory Council (NIAC), has released an 11-step report urging the Administration to take action to protect against “a watershed, 9/11-level cyber attack.”

NIAC’s assessment is intended to measure how existing federal authorities could better support the cybersecurity of critical infrastructure assets that are at the greatest risk of a cyber attack and could result in catastrophic regional or national effects on public health or safety, economic security or national security.

In Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure, the NIAC outlines recommendations and lists the applicable agencies that must take action to carry out the recommendation. Here’s a summary of the actions:

1. Establish separate, secure communications networks specifically designated for the most critical cyber networks. Use “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
2. Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies to test public-private and company-to-company info sharing of cyber threats at network speed.
3. Identify best-in-class scanning tools and assessment practices, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
4. Strengthen the capabilities of today’s cyber workforce by sponsoring a public-private expert exchange program.
5. Establish a set of limited time, outcome-based market incentives that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
6. Streamline and expedite security clearance process for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
7. Establish clear protocols to rapidly declassify cyber threat info and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber attacks.
8. Pilot an operational task force of government, electricity, finance and communications industry experts to take decisive action on the nation’s cyber needs, with the speed and agility required of escalating cyber threats.
9. Use the national-level GridEx IV exercise to test the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government’s unclear response actions.
10. Establish an optimum cybersecurity governance approach to direct and coordinate the cyber defense of the nation with resources/expertise from across federal agencies.
11. Task the National Security Advisor to review the recommendations included in this report and within six months, convene a meeting of senior government officials to address barriers to implementation and identify next steps to move forward.

Recommendation 5 is particularly interesting, as it echoes a similar initiative enacted years ago within the healthcare industry to provide incentives to encourage the switch from paper records to digital systems, known as electronic healthcare record systems.

Creating market incentives to drive the adoption of upgraded IT/security infrastructure and to meet industry standards or best practices can assist in keeping critical U.S. infrastructure safe from known vulnerabilities that often exploit weaknesses in legacy systems and out-of-date software to gain access and steal and/or destroy data.

Last week, eight members of the 28-member NIAC resigned, claiming the current administration is not “adequately attentive to the pressing national security matters within the NIAC’s purview” nor “responsive to sound advice received from experts and advisors on these matters,” as stated in a copy of the resignation letter.