It's a team put together to help protect the United States from a catastrophic cyberattack.
That team is called the National Infrastructure Advisory Council (NIAC), and it just revealed several ways the federal government and private industry can collaborate seamlessly to confront cyber risk in the most critical and targeted parts of private infrastructure.
As part of this team's role, findings must be shared with President Trump, and their letter to the president opens with this dire warning:
"U.S. companies find themselves on the front lines of a cyber war they are ill-equipped to win against nation-states intent on disrupting or destroying our critical infrastructure. Bold action is needed to prevent the dire consequences of a catastrophic cyber attack on energy, communication, and financial infrastructures."
They are sharing a laundry list of steps that industry and the private sector should take right now, with the government's help.
9 steps to address cyber risk in critical infrastructure
- Establish the Critical Infrastructure Command Center (CICC) to improve the real-time sharing and processing of private and public data—including classified information—between co-located
government intelligence analysts and cyber experts from companies at greatest risk.
- Direct the Intelligence Community to raise the priority of collecting, detecting, identifying, and disseminating information on efforts by nation-state and non-state actors to exploit, deny, or otherwise
attack critical infrastructure in the United States.
- Conduct a one-day Top Secret/Sensitive Compartmented Information (TS/SCI) briefing to CEOs of identified energy, communications, and financial services companies to build a compelling case for company action to counter serious cyber threats and to facilitate operationalizing the CICC.
- Use the upcoming National Level Exercise 2020 to pilot the CICC model by bringing together cleared private sector experts with intelligence officers and representatives from other key government
agencies.
- Issue an Executive Order to create the Federal Cybersecurity Commission (FCSC) as an independent U.S. government entity to mitigate catastrophic cyber risks to critical infrastructure that have potential national security impacts.
- Convene a symposium of select Cabinet Secretaries, regulators, Office of Management and Budget (OMB) officials, CEOs, and industry representatives to clarify the functions, roles, responsibilities, and processes of the Commission, based on the more detailed work done by the NIAC.
- Direct the Department of Justice to analyze existing legal authorities to determine the ability of government to direct the private sector to implement cyber mitigations and to identify legal barriers that prevent the private sector from implementing requested mitigations and sharing information with the government, based on the more detailed work done by the NIAC.
- Provide liability protection to allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure.
- Continue and expand programs at the DOE's national laboratories and other ongoing initiatives to independently test vendor equipment for vulnerabilities and report the results to private companies.
There are a lot of interesting ideas on that list, but from a selling security to the business standpoint, number three is a standout.
Getting critical infrastructure CEOs in a room for a confidential briefing on cyber threats against them could lead to rapid executive buy-in that is still lacking within many organizations.
Topics around buy-in and security strategy are regularly discussed at SecureWorld regional cybersecurity conferences, so you might want to check out the event calendar.
Also, here is the NIAC's letter to the president: Transforming the U.S. Cyber Threat Partnerships.
