Cybersecurity and the National Infrastructure Advisory Council
September 14th, 2017 by CHHS RAs
By CHHS Intern Jonathan Lim
In August, several members of the President’s National Infrastructure Advisory Council (NIAC) resigned, citing, among other reasons, the current Administration’s lack of attentiveness to Cybersecurity issues, which leave the country’s infrastructure vulnerable. For his part, the President had issued a sweeping Executive Order several months ago, ordering many agencies to study and report on their state of Cybersecurity readiness. NIAC’s report was released a day after the resignations and stated that the United States is in a “pre-9/11 moment” in terms of cybersecurity.
The report offered 11 recommendations on how to improve cybersecurity, most notable being the creation of a separate network over dark fiber, establishing outcome-based market incentives to encourage owners to upgrade their cybersecurity, and establishing an “optimum cybersecurity governance approach.” However, some analysts believe these are too many recommendations, and most businesses may find them impractical. Still, even those critics believe that the core message of the report, and the need for a “cohesive and collaborative approach from both government and private sectors” will be necessary in the future.
The country may avert Cyber 9-11 by putting into effect the more practical and more important recommendations from the report, which include streamlining Federal cybersecurity authority and resources—an “Optimum Cybersecurity Governance Approach”—and creating a separate, secure communications network utilizing “dark fiber.”
The U.S. can Follow the Examples of the U.K. and Israel in Creating a Centralized Cybersecurity Authority
The Council noted in its report that the “U.S. Federal Government is not organized to effectively deploy existing cyber capabilities and authorities” because “capabilities and oversight are fragmented, and roles and responsibilities remain unclear.” It offered the United Kingdom as an example of the aforementioned Optimum Cybersecurity Governance Approach, which replaced three separate organizations with the National Cyber Security Centre last year. The Council believes this will provide a “unified source of threat intelligence.”
The Council also looked to Israel as an example. Israel recently created the National Cyber Bureau (NCB) and the National Cyber Defense Authority (NCDA). The NCB bears the responsibility for promoting best cybersecurity practices by advising Israel’s Prime Minister and by interfacing with academia to promote research and development. The NCDA is premised on the idea that cyber defense requires “close cooperation among all parts of the civil sector,” and has the responsibility to “direct, operate, and execute” national cybersecurity measures.
Both the U.K. and Israeli models charge their operational agencies with effecting deterrence through retaliatory cyber-attacks if needed. Currently, there is some controversy over whether private companies can also engage in such attacks. The U.S. will need to decide if it should allow this, or instead further centralize its existing counter-hacking capabilities.
What is a Dark Fiber network, and how can it help?
Despite the ominous name, Dark Fiber is simply “optical fibre infrastructure that is not in use.” When the original fiber-optic infrastructure was laid in the U.S., companies installed far more cables and hardware than was needed in anticipation of ever-growing bandwidth needs. However, advances in technology now allow more data to be transmitted on the same cables, rendering the extra fiber-optics unused, or “dark.” Those responsible for the nation’s critical infrastructure can utilize dark fiber to set up a more secure network along dark fiber lines that is separate from the rest of the internet, while avoiding the exorbitant civil engineering cost of laying down a new network infrastructure.
The Near Future
While the Council had other recommendations, some (such as expediting the security clearance process) may be more easily accomplished once the U.S. takes steps to streamline cyber security governance. Other recommendations may need to be deferred or may never be implemented, but the Council’s report at the least offers potential steps the United States could take to thwart Cyber 9/11.