A mix of geopolitical power struggles, emerging technologies and increasingly sophisticated cyber adversaries spikes the risk that a “major cyber crisis” could hit the U.S., a new report said.
The cocktail of propellants make it imperative that the U.S. shore up vulnerabilities that adversaries can exploit and refine its cyber readiness, the New York Cyber Task Force (NYCTF) said in its report, entitled Enhancing Readiness for National Cyber Defense through Operational Collaboration.
What’s required is “operational collaboration,” an integrated public/private preparation and response to severe cyber crises, the report said. The document identifies weaknesses in the nation’s cyber response capabilities and offers five recommendations for improving its cyber readiness.
“Such a crisis could have significant adverse effects on public health and safety, the economy, and national security,” the NYCTF said. “Given mounting cyber challenges, the United States must take immediate steps to improve its cyber readiness to withstand such potential attacks.” The report “envisioned severe, yet plausible, scenarios” that could occur by 2025 to assess how the country can defend itself in the bigger picture.
The report comes in the wake of the massive SolarWinds Orion cyberattack that hit at least nine federal government agencies and whose impact has continued to reverberate in the U.S. and overseas.
“In cyber, the US has been playing kids soccer, chasing the last breach and incident, instead of proactively planning and preparing for national security challenges,” said Gregory Rattray, the NYCTF’s executive director and Next Peak co-founder. “As a case in point, the SolarWinds incident should not have surprised us. Our technology ecosystem is inherently permissive of deeply intrusive and disruptive attacks, and intelligence services have taken advantage of this for a long time,” he said.
Forming “deep” partnerships between public and private sector organizations in a “whole-of-nation effort” operational collaboration is central to improving cyber readiness, the report said. Recommendations in the Cyberspace Solarium Commission’s (CSC) report last year, upon which a number of cybersecurity measures, such as establishing a National Cyber Director post, have been adopted in the 2021 National Defense Authorization Act (NDAA) and coded into law last December, giving U.S. cyber readiness a much needed boost, the NYCTF said.
“An important contribution of the New York Cyber Task Force was testing some of the core recommendations of the Cyberspace Solarium Commission, particularly those that focused on public-private collaboration,” said Erica Borghard, an NYCTF member and senior senior fellow with the New American Engagement Initiative at the Scowcroft Center for Strategy and Security who also serves as a CSC senior director. “The fact that the task force's rigorous process validated those recommendations only further reinforces the critical importance of improving how the U.S. government works with the private sector on shared cyber threats.”
Five key recommendations from the report:
- Identify the key national security challenges that will confront the nation’s collaborative cyber defense effort.
- Establish a collaborative, coherent network leveraging existing information sharing and analysis organizations, network operations centers and cyber response teams in the government and the private sector.
- Establish the capability to coordinate activity and share situational awareness among key governmental and private sector players engaged in national-level cyber crisis response.
- Assess the readiness of U.S. cyber response capabilities to guide actions and investment.
- Ensure the availability of the right skilled personnel and the ability to respond in a vigorous, structured fashion to understand our readiness and potential weaknesses.
“Strengthening national cyber readiness should be seen as an opportunity, not a burden,” the NYCTF’s report said. “Cyber readiness in the face of severe but plausible cyber shocks will enable confidence in the digital transformations already underway.
Columbia University’s School of International and Public Affairs (SIPA) sponsors the NYCTF, which delivered its first report in 2017, “Building a Defensible Cyberspace.” The current report builds on the findings of the initial document. The NYCTF is currently composed of 45 members spanning the private and public sectors, including government policy makers, cybersecurity executives, academia and others. Upcoming NYCTF events include:
- March 12, 2021: Panel event with the Council on Foreign Relations
- March 17, 2021: Panel event with the Atlantic Council
- May 20, 2021: RSA Conference, Operational Collaboration: Public-Private Partnerships for Cyber Resilience