By: Erica Borghard
What is the kernel of the issue?
Privately-owned critical infrastructure, such as financial institutions and the healthcare sector, is routinely targeted in cyberspace for coercive and strategic purposes by adversaries. However, the private sector does not yet play a meaningful, systematic role in shaping how the US government collects intelligence about cyber threats.
Why is the issue important?
Cyber defense and resilience rest on reliable and comprehensive intelligence collection, but US intelligence collection efforts are incomplete. One reason is the process for defining collection requirements takes place entirely within the government, so that they are defined without meaningful context or input from the very entities that are likely to be targeted—the private sector—and absent unique, industry-specific subject-matter expertise.
What is the recommendation?
The Biden administration should conduct a review of the National Intelligence Priorities Framework (NIPF) process with the intelligence community, which is the primary mechanism that establishes and defines all intelligence collection priorities, including cyber. Specifically, it should develop concrete recommendations for how the NIPF could be better tailored to collection requirements that would enable early warning against cyber threats to critical infrastructure. This would be a critical step in making the private sector more of a meaningful stakeholder in a comprehensive understanding of the threat environment.