A bipartisan council filled with presidential appointees is recommending that the president direct the federal government to make its cyber intelligence more actionable, including having the intelligence community put more emphasis on cyber exploits and attacks of U.S. critical infrastructure, and calls for a new independent Federal Cybersecurity Commission (FCSC) to lower cyber risks to critical infrastructure that have national security implications.
"Mr. President, America's companies are fighting a cyber war against multi-billion-dollar nation-state cyber forces that they cannot win on their own," says a draft report from the President's National Infrastructure Advisory Council (NIAC) released on Monday. "Incremental steps are no longer sufficient; bold approaches must be taken."
Among the recommendations for actionable cyber intelligence, the NIAC recommends a Critical Infrastructure Command Center (CICC) be established "to improve the real-time sharing and processing of private and public data, including classified information" between government and private sector analysts co-located at the center.
It also says an increase in "collecting, detecting, identifying, and disseminating" information about the cyber security efforts of nation-state and non-state actors against critical infrastructure "should be a Priority 1 topic within the National Intelligence Priorities Framework."
And to better get the message across to the nation's chief executives in the energy, communications, and financial services sector, the draft report recommends a one-day Top Secret briefing "to build a compelling case for company action to counter serious cyber threats and to facilitate operationalizing the CICC."
The FCSC would be established through an executive order and provide "a bold new approach for the streamlining of regulatory authorities to achieve cyber mitigations in the private sector and counter extraordinary cyber threats," the NIAC says. The work of the FCSC would be done by industry executives and government leaders.
The draft report also calls for modernizing legal authorities, including directing the Department of Justice to examine existing authorities for how the government can direct businesses to bolster their cyber security and to identify laws that prevent companies from adopting cyber protection and sharing more information with the government.
To strengthen supply chain security, the NIAC recommends that companies receive "liability protection allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure." It also recommends that the efforts by the Energy Department's national laboratories be expanded to "test vendor equipment for vulnerabilities and report the results to private companies."
"The nation is not sufficiently organized to counter the aggressive tactics used by our adversaries to infiltrate, map, deny, disrupt, and destroy sensitive cyber systems in the private sector," the draft report warns.
The report was requested by the White House National Security Council in September and will be discussed this Thursday at its quarterly business meeting at Eisenhower Executive Office Building.