Enable breadcrumbs token at /includes/pageheader.html.twig

We Lack a Plan for Responding to a National or Even Global Cyber Event

The time is past for exploratory efforts; action is needed now.

Leadership and accountability are required to move our nation forward in our collective efforts to improve the national capability to detect, prevent, mitigate, respond and recover from cyber events that may have national or even global consequence. This is such an important arrow in our quiver of national preparedness and resilience that it demands priority attention.

The frequency and sophistication of cyber attacks perpetrated by a variety of bad actors continues to grow. These malefactors include hackers seeking notoriety, hacktivists attempting to influence political direction and thinking, criminals seeking financial gain, nation-states pursuing economic espionage to steal intellectual property and trade secrets or even gain military advantage, and terrorist organizations implementing destructive attacks against critical infrastructure intended to impart injury and death as well as recruiting through a program of propaganda.

Accordingly, our national efforts at cyber preparedness and resilience must accelerate and include a published and tested plan for responding and recovering from a cyber event of national or even global consequence. Yet, in spite of collaborative and concentrated efforts by private sector and public sector subject matter experts that began in 2008 to develop a coherent National Cyber Incident Response Plan (NCIRP) and produced a draft NCIRP that was sent to the White House for review and approval in 2009, today there is no approved, published and routinely tested national plan for responding to and recovering from a national or global cyber event.

If the nation were to be confronted by a massive, widespread denial-of-service attack against a critical infrastructure sector—which could include a cascading effect to other sectors—or the release of destructive malware attacking a lifeline critical infrastructure, what would be the process for gathering ground truth and achieving real-time or near-real-time situational awareness that is reliable and actionable to inform the decision making process? What is the decision making process and how, when and where will the owners and operators of the nation’s private sector critical infrastructure be included in the process? How do we ensure a coordinated and more effective process to avoid multiple inquiries from a variety of government entities often to different people within the same organization asking the very same questions or seeking the very same information that can contribute to confusion and inefficiency?

Also to be defined are the roles and responsibilities of various government entities such as the Homeland Security Department; FBI; Secret Service; FEMA; Defense Department; White House National Security staff; Treasury Department; Energy Department; sector specific agencies such as Environmental Protection Agency and the Transportation Security Administration; and various state entities such as offices of emergency management or homeland security.

How will efforts be coordinated across the stakeholder community to ensure a timely and productive effort at response and recovery?

We need to determine the thresholds of escalation of a national cyber event that prompt other-than-routine action as well as the decision making process for identifying appropriate steps to mitigate or reduce the impact of a significant cyber event with national consequences. How the coordination is implemented and accomplished if a cyber event causes a physical impact or conversely, if a physical attack produces a significant cyber impact, also are key issues.

A malicious cyber attack against the power grid, the water supply system or other critical infrastructure might cross a threshold from the jurisdiction of the Homeland Security Department to the Defense Department. When would such an event cross this threshold, and what are the handoff procedures? How are the private sector owners and operators of the nation’s critical infrastructure integrated into the process for building and maintaining situational awareness as well as the response and recovery decision making process from the early stages of an event through the thresholds of escalation to improve coordination, collaboration and communication on behalf of the American people?

All of these are reasonable issues that today remain unresolved.

It seems logical to assume that such an overall plan presumably would build on the good work accomplished through a joint public-private effort in 2008 and 2009 that produced the draft NCIRP, which was delivered to the White House in 2009. That plan remained in a draft interim status, although it was referenced in several national cyber exercises from 2010 until recently. It now appears the draft NCIRP has been discarded, although no information about a successor plan or the process for preparing such a plan has been announced.

The administration should convene a group of private sector and public sector subject matter experts from across the stakeholder community to update and refine a new NCIRP. Such a plan should provide clarity around roles and responsibilities, both at the strategic level as well as at the operational level in a series of playbooks that identify thresholds of activity prompting actionable steps to mitigate, respond and recover from any cyber event that may have national or even global consequences. That plan should be dynamic and tested regularly through national level exercises to identify gaps and create after-action plans that prompt the development of plans of action and milestones for continuous improvement in the nation’s cyber preparedness and resilience.

Since 2006, the nation has invested millions of taxpayer dollars into Tier I and Tier II national-level cyber exercises. Yet, the findings and after-action plans from those exercises remain largely unaddressed, with evidence of repeated gaps being identified exercise after exercise.

The stakeholder community is ready to participate and contribute in the creation of an effective NCIRP. Working in a collaborative manner, everyone in the community can make a difference.

Robert B. Dix Jr., is the vice president, Global Government Affairs and Public Policy for Juniper Networks.