U.S. government agencies and businesses are largely unprepared for a major cyber attack from state-sponsored actors, and must prepare now, according to a report by key governmental-focused think tanks.
The Foundation for Defense of Democracies and The Chertoff Group published insights this week from a cyber-enabled economic warfare (CEEW) tabletop exercise they conducted with former senior government officials and private sector leaders.
The exercise imagined a massive cyber attack occurring at the same time as a major overseas military engagement. The results paint a dire picture of the ability of government and the private sector to communicate and collaborate in such a scenario.
“Unless government and private sector decision makers begin developing CEEW-specific procedures and trust now, the United States will find itself flat-footed during a major cyber event,” researchers wrote in a report published online.
Researchers intended the exercise to identify areas where the public and private sector align and where they differ. It measured what each stakeholder wants, needs and demands from the other in the immediate aftermath of a major cyber attack.
Four key findings emerged from the exercise, which demonstrated a doomsday scenario that impacted critical and consumer infrastructure, degraded military capabilities and fueled public fear that access to food, health care and bank accounts could be jeopardized.
Attack attribution a source of tension
Researchers found four key issues that show a disconnect between the public and private sectors as well as ways they can help each other to prepare for a major cyber attack.
The first is that the two sectors disagree about the importance of attribution of attacks and how relevant private sector data is to that attribution. There also are persistent misunderstandings regarding how businesses can legally share security and intelligence data with the government.
Private-sector companies showed mixed feelings about attack attribution, wanted more guidance from the government over why it’s so important, while stressing the importance of information about the operation of malware and cyber attacks.
Government organizations, on the other hand, prioritize attribution to help them make decisions how to act in the event of an attack, and are willing to consider broadening legal guidelines allowing for more extensive security information-sharing with the business sector.
A second finding highlighted the role of government response to a high-profile cyber attack. While the government has the emergency authority and powers to respond to attacks, there is a lack of clarity on how these can be practically invoked in case of an event.
“It is critical to build and sustain resilient enterprises now to mitigate future catastrophic impacts,” researchers found.
The private sector also has conflicting loyalties between protecting their businesses and the government’s interest in national-security regarding, researchers found. They urged the government to “nip this conflict in the bud” to ensure that the private sector’s conflicting loyalties do not undermine crisis response, they said.
Researchers took into account the power of public perception as well, especially with the proliferation of information on social media. Their fourth key finding notes that what the general population may perceive as inaction by the government in the event of a cyber attack must be factored into response planning.
“In an escalating overseas contingency, an already politically charged environment could be seeded with adversarial media operations to further sow discord,” researchers wrote. “Participants observed that adversarial influence operations using social media could be a powerful tool to affect opinion during crisis conditions.”
The way forward
The memo provides a list of 21 recommendations to help remedy each of the issues researchers found that are standing in the way of the current state of preparedness–or lack thereof–to defend U.S. public and private interests against cyber warfare.
Researchers recommend more transparency and cooperation across the board on cybersecurity, something with which the two sectors have long struggled.
For example, researchers recommended that the government should educate the private sector about the types of data needed to attribute and disrupt major cyber attacks as “part of a broader effort to explain why attribution is important not only for the government but also for the private sector.”
Researchers also urged more collaboration on a unified approach to warn critical-infrastructure and lifeline stakeholders of imminent attacks so they can be better prepared.
Overall, the memo advises policymakers to let history repeat itself in this case, taking a cue from Cold War continuity planning aimed to ensure the government could execute essential functions in the event of a nuclear attack.
Researchers said that today’s cybersecurity risks should be viewed in the similar manner, but with the consideration that “the private sector is on the battlefield,” and it’s the continuity of the U.S. economy now that must be supported by a comprehensive, collaborative plan.
“American innovation and prosperity are our nation’s greatest assets,” researchers wrote. “It is incumbent, therefore, that Washington and the private sector to work together to ensure their protection.