In the course of the next decade, the United States must boost its capacity to defend its critical functions from adversaries who aim to cause disruption through cyberspace. Dealing with this cyber challenge to US national security will take operational collaboration that unites all levels of the government and the private sector.
Over the last year, I served as executive director of the New York Cyber Task Force (NYCTF). The group of cyber experts from academia, government, and the private sector explored the plausible national-security risks likely to impact the United States over the next five years and analyzed whether the United States is ready to face these challenges in cyberspace. The risks, as we identified, were driven by great-power competition, advancements in new technologies like artificial intelligence (AI), and the proliferation of advanced cyber tools among cyber adversaries. Our most recent report, Enhancing Readiness for National Cyber Defense through Operational Collaboration, offers recommendations for jumpstarting operational collaboration and enhancing US responses to these cyber challenges.
Operational collaboration will require the public and private sectors to form deep partnerships in coordinating cyber-defense actions, planning, and capacity building for cyber resilience. Their activities must include joint intelligence production, operational planning and response, and thorough contingency planning for more rapid and effective recoveries from cyber events. These efforts can maximize the strategic impact of public- and private-sector capabilities, speed up defenders’ response times, and provide organizations with advanced warning of potential attacks and complex threats to resilience.
The Biden administration has clearly acknowledged cybersecurity as a top-tier priority and the vital role operational collaboration plays in solutions to US cyber challenges. While the administration still needs to deal with the effects of the SolarWinds incident, it now faces additional emerging challenges from the Microsoft Exchange intrusions and, most recently, the ransomware attack on critical energy provider Colonial Pipeline. In January, US President Joe Biden appointed Anne Neuberger as deputy national security advisor for cyber and emerging technology and launched a sixty-day review to structure cyber strategy going forward. While these seem like the right steps, concrete action needs to follow quickly—not only by standing up a new national cyber director, a position that Biden has nominated Chris Inglis to be the first to fill, but also by outlining a clear path to deeper public-private partnerships.
The public sector’s strategy to improve US cyber capabilities has evolved beyond its initial focus on information sharing, which included the US Congress passing the Cybersecurity Information Sharing Act in 2015. Even at the time, the cybersecurity community understood that information-sharing measures alone, while necessary and important, would not be enough to defend the United States’ critical functions. By then, cyber defenders had already seen threats rapidly evolve in the form of the highly disruptive Iran-linked attacks on Saudi Aramco and the politically motivated North Korean targeting of Sony. Nation-state and cybercriminal groups soon seized on National Security Agency tools leaked by the Shadow Brokers in 2016. The government and private sector thus came to recognize that:
- Cyber threats to national security were already upon us.
- Private-sector organizations were at the frontline of these cyber threats.
- The cyber community needed to engage in cross-sector collaboration that went deeper than simply sharing information to effectively warn of, mitigate, and recover from large-scale incidents.
In response, leaders of financial organizations sought to advance collaboration among themselves and with the government to jointly address the growing risk of cyberattacks. In 2016, the Financial Services Information Sharing and Analysis Center, a cyber intelligence-sharing community, created the Financial Systemic Analysis and Resilience Center (FSARC) to enhance cooperation among firms, the US government, and other key sector partners on analyzing, preparing for, and identifying potential cyber risks for the financial system. The success of that initial collaboration plotted a path for broader progress. The combined activities of the Cybersecurity and Infrastructure Agency (CISA), US Cyber Command, and Microsoft helped secure the 2020 US presidential election. Last year, the FSARC expanded to include the energy sector under the new Analysis and Resilience Center (ARC) for Systemic Risk. Recent studies by the Cyberspace Solarium Commission and the Aspen Cybersecurity Group have called for a focus on improved operational collaboration, while the 2021 National Defense Authorization Act (NDAA) also included a number of provisions on this front.
Yet the United States is still poorly prepared to respond to significant cyber events or attacks stemming from both increasingly sophisticated adversaries and the rapid evolution of technology. The SolarWinds and Microsoft Exchange incidents have highlighted once more that these foes have many ways to up their game in terms of conducting cyber intrusions. If adversaries were to leverage such access to networks and data for disruptive objectives, it would undoubtedly have severe impacts across the public and private sectors in the United States. Additionally, as the pandemic accelerates dependence on cyberspace, new technology and potential loci for cyber intrusions now co-evolve quickly. While operational collaboration is on the rise, the United States is not currently leveraging the potential of joint warning capabilities from public-private intelligence efforts. Even more fundamentally, it lacks critical contingency planning and resources to respond to major cyber incidents.
Building national cyber resilience demands still deeper public-private operational collaboration. NYCTF experts identified three main gaps in the US cyber-response system. First, the United States has not clearly identified the severe, but plausible, challenges worthy of planning and capacity investment. Second, the United States has not designated a focal point for coordinating a national-readiness effort. Lastly, the United States has not yet fully engaged the private sector as partners with the government in defending against national-security threats in cyberspace—despite the private sector’s position on the frontline of cyber incidents.
The NYCTF’s recommendations tackle these gaps by stressing national cyber readiness through operational collaboration and are intended as a starting point for moving the United States away from chasing the last security breach or incident and toward preparing for future national-security challenges.
- We call for the identification of national cyber crisis contingencies that pinpoint key cyber risks to guide planning.
- We suggest a national cyber response network (NCRN) that would include response nodes in the government, private-sector companies, and cyber groups like Information Sharing and Analysis Centers and eventually more organizations in a manner similar to the ARC’s model.
- We stress that the NCRN must have the ability to coordinate in a way that enhances situational awareness and makes clear a common concept of operations for effective coordination.
- We advise that the government should create mechanisms to continually assess national cyber-response capabilities to ensure the United States’ readiness at all times.
- We call for training and exercises under the NCRN structure that can help bolster national cyber readiness. In addition, the NYCTF developed a series of supporting recommendations to promote operational collaboration: establish integrated cyber crisis-information networks, address the evolution of technology, remove legal and procedural barriers to enhancing responsiveness, build trust and confidence in responses, and close resource gaps to ensure the country is ready for cyber crises.
The United States must work harder to advance operational collaboration for cyber readiness and resilience. The US cyber response needs investment, not solely more awareness. The position of the national cyber director must be strongly supported by a staff focused on establishing public-private partnerships as well as the NCRN. Operational-collaboration initiatives as called for in the 2021 NDAA, like the new joint public-private cyber planning office in CISA, must be implemented properly and granted the resources needed so that practical defensive campaigns can be quickly executed at scale. The private sector must also continue to seek close collaboration with the government and invest in capabilities to build the readiness and resiliency of key US industries against cyberattacks. Lastly, government and business leaders need to pursue the legal and procedural changes necessary to work closely together on contingency planning and response in order to make it possible for private-sector players to be full partners.
The United States must prepare today to encounter future cyber-defense challenges, which requires investing the resources to establish and strengthen organizations, foster relationships, and build trust and joint capabilities through operational collaboration. These public-private processes, organizations, and relationships will provide the readiness and resiliency that will be needed when the next challenges that are clearly coming in cyberspace emerge. Biden and the new national cyber director should lean into the progress made so far on operational collaboration and continue to build the capacity for a whole-of-country effort to defend against cyber threats.
Gregory Rattray is a senior fellow in the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative at the Atlantic Council and partner and co-founder of Next Peak LLC.
New Atlanticist May 4, 2021
A plea to the Pentagon: Don’t sacrifice resilience on the altar of innovation
By JC Herz
US defense systems are vulnerable because they are brittle and unmaintained, and thus not resilient. Fixing it will require a new approach to acquisition.
New Atlanticist Mar 24, 2021
How to reverse three decades of escalating cyber conflict
By Jason Healey and Robert Jervis
Cyber conflict has not yet escalated from a fight inside cyberspace to a more traditional armed attack because of cyberspace. In part, this is because countries understand there are some tacit upper limits to escalation above which the response from the offended country will be war. Unfortunately, this happy state may not last.
New Atlanticist Dec 21, 2020
To defend US elections, we must recognize that the fault is in ourselves
By Nina Kollars and Michael Rodriguez
It is time to put money toward state information infrastructure, to align public expectations with the pace of the democratic process, and to hold elected leaders accountable for lighting fires in information dumpsters.