Privacy & Information Security Law Blog

On August 22, 2017, the National Infrastructure Advisory Council (“NIAC”) issued a report entitled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (“NIAC Report”). NIAC was first created in 2001 shortly after the 9/11 attacks and advises the President on information security systems in banking, finance, transportation, energy, manufacturing and emergency government services. The NIAC Report notes that sophisticated and readily available malicious cyber tools and exploits have lowered the barrier to cost and increased the potential for successful cyber attacks. According to the NIAC Report, “[t]here is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action.”

The NIAC Report calls on the Trump Administration to take “bold, decisive actions” to improve critical infrastructure cybersecurity, including (1) establishing separate and secure communications networks for critical cyber networks; (2) facilitating a private-sector-led pilot of machine-to-machine information sharing technologies; (3) identifying best-in-class scanning tools and assessment practices; (4) strengthening the cyber workforce; (5) establishing outcome-based market incentives to encourage upgrades to cyber infrastructure; (6) streamlining security clearance processes for owners of critical cyber assets; (7) establishing protocols to rapidly declassify and proactively share cyber threat information; (8) creating a private-public task force of cyber experts; (9) leveraging GridEx IV Exercises to test cyber incident response; and (10) establishing an optimum cybersecurity governance approach.

The NIAC Report further recommends that the National Security Advisor be tasked with reviewing the report and, within 6 months, recommend immediate steps forward. Relatedly, President Trump’s recent E.O. 13800 directs the government to engage with such critical infrastructure to identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities, and issue a report to the President by November 2017.