As the country grows increasingly reliant on digital connectivity, it is also becoming more vulnerable to attacks. These attacks are sophisticated, frequent, and targeted.
To protect against these threats, the federal government has to share threat information with nonfederal partners. However, challenges to sharing cyber threat information persist. This report describes these challenges and recommends solutions.
Defend Against Cyberattacks
The government is a top target for cyberattacks, as it has access to sensitive information and critical infrastructure that can be disrupted by attacks. It’s also a target for hacktivists with political motives, such as the Russian cyberattacks on Ukraine and other Western countries. And it’s often an attack vector for adversary nations trying to penetrate our defenses in preparation for war.
As the Federal Government becomes more interconnected, it’s increasingly vulnerable to cyberattacks. To ensure the safety of our networks, the government needs to protect its own systems and provide a clear set of policies and practices for private sector organizations to follow. This includes enacting robust cybersecurity laws, training employees on how to spot and respond to a cyberattack, and strengthening cooperation between law enforcement agencies and private corporations.
Fortunately, the government is working to strengthen its ability to defend itself against cyberattacks. For example, it has stepped up its efforts to prevent cyberattacks by identifying and disabling vulnerabilities in its networks before they’re exploited. It’s also investing in new tools and technology to better detect and stop cyberattacks in progress. And it’s partnering with state, local, tribal and territorial (SLTT) governments and private industry to improve their ability to identify and share threat intelligence.
To prevent cyberattacks from disrupting operations and affecting national security, the Department of Defense (DoD) has embraced “defense forward” strategies that attack threats at their source. This is similar to the way a navy keeps the peace by sailing the seas or an air force secures airspace by patrolling the skies, and involves targeting adversary cyber capabilities and their underlying infrastructure.
In addition, DoD is deploying persistent engagement against adversary cyber actors and their supporting infrastructure. Persistent engagement shifts DOD’s posture in cyberspace from reactive to proactive, just as the U.S. Navy keeps the peace by sailing the seas and the U.S. Air Force protects the skies by conducting patrols.
The 2018 Department of Defense Cyber Strategy also states that the United States will defend forward to disrupt malicious cyber activity at its source, even when it does not rise to the level of an armed conflict. This means that if a device, network, or organization is identified as a threat to the United States and its networks, it can expect the United States to impose costs in response.
Protect Critical Infrastructure
A single cyberattack against a vital sector like electricity, banking and financial services or transportation can disrupt global commerce and cause significant harm to society. Governments should set clear policies to protect these sectors. They should encourage industries to use security best practices and to share threat intelligence, and provide incentives to improve their security posture. They should also work with private industry to help them invest in improved cybersecurity solutions and to ensure that government policies are implemented effectively.
The federal government should also take decisive steps to modernize its approach to cybersecurity, such as accelerating the movement toward Zero Trust Architecture and centralizing and streamlining access to cybersecurity data. They should also invest in the necessary personnel and technology to match the evolving threats.
Governments can also support critical infrastructure companies by encouraging them to make security a core business requirement. This includes promoting the use of software development processes that prioritize security, and providing financial levers that encourage banks and venture capitalists to promote security features in new technologies. In addition, the government should develop a national cybersecurity hygiene campaign to educate citizens about basic cyber safety and how to protect themselves against common attacks.
Finally, governments should develop robust mobilization plans to respond to cyber incidents, including a severity-assessment matrix that defines which agencies should lead the response. They should consider whether to create a single portal to which critical infrastructure companies can report all cyber incidents. This could be a public portal that would allow them to share information about the incident with other small and midsize enterprises.
The success of any cybersecurity strategy depends on the coordination of many different stakeholders. From telecommunications and internet service providers to utilities, financial institutions and regulators, they must all act together to keep the system working properly. By understanding the full map of interactions, it is possible to identify feedback loops that incentivize or disincentivize particular behaviors—such as ignoring vulnerabilities and not updating software. A causal loop diagram can be an effective tool for identifying these interlinkages, and can help guide interventions that will reduce the risk of cyberattacks.
Enforce Laws
In order to secure the nation’s Cybersecurity and Infrastructure Security, the government must have robust laws and regulations that can be enforced. Governments must also be able to respond quickly and effectively to any cybersecurity incidents that arise, and carefully examine the causes of those incidents in order to improve the country’s defenses against future attacks.
To develop and implement these policies, the government must have in-house expertise. This is why the best-in-class countries establish national cybersecurity agencies (NCAs) to improve cybersecurity capabilities within their governments, promote security best practices and advance toward Zero Trust architecture; and centralize and streamline access to cybersecurity data for analytics for identifying threats.
These agencies typically work in partnership with private entities to ensure that cybersecurity risks are properly identified and addressed, while protecting privacy and civil liberties. To do this, the NCA needs to have sufficient staff and technical resources to meet its objectives. This means balancing the need to hire cybersecurity professionals with the need to ensure that those personnel have the proper skills and qualifications to protect their organizations.
It is important for the government to be aware of the potential for its cybersecurity measures to encroach on individual privacy and freedoms, so it must consider whether it can achieve its desired goals without compromising those rights. The law enforcement community should also be involved in the process, because they can play a key role in ensuring that the government’s policies are being effectively enforced.
The government’s enforcement tools vary by policy, but penalties such as fines, public disclosure of violations, and legal action are commonly used. The government can also use education and awareness campaigns to encourage adherence to certain policies. Because the executive branch primarily enacts and enforces policy, it can also choose not to enforce laws or reverse existing ones without going through Congress.
As part of its enforcement efforts, the Federal Government must be able to communicate with state, local, tribal, and territorial (SLTT) law enforcement about what types of incidents require reporting. This communication is facilitated by the National Cybersecurity Incident Reporting Tool, which can be used by SLTT police to identify and report cyber incidents and their possible consequences.
Monitor the Internet
As the world becomes more connected, protecting critical infrastructure — such as electricity and water — from cyberattacks has become a national priority. To do so, federal agencies and critical infrastructure owners and operators must share information on cyber threats. However, long-standing challenges impede effective information sharing. For example, representatives from one nonfederal partner reported that it took them about 5 months after a threat was identified by the FBI to receive a briefing on that threat.
To help address these challenges, the government can provide more resources for state, local, tribal and territorial (SLTT) law enforcement to respond to cyber incidents. This includes providing SLTT law enforcement with training opportunities and sharing cyber incident reporting guidance. It can also provide them with access to federally funded forensic analysis capabilities and support for conducting large-scale data analytics to identify common cyber attack patterns.
In addition, the government should actively monitor the Internet to detect and respond to cyberthreats. It can do this by establishing a 24/7 Cyber Situational Awareness and Response Center (NCCIC), which provides government, private sector, and international partners with centralized visibility into cyber threats. The NCCIC can also coordinate with nongovernmental organizations to respond to and mitigate cyberattacks against the United States, including its citizens and its businesses.
The NCCIC can also leverage existing national-security intelligence to assess threats against the United States. This helps the NCCIC to identify and prioritize the most serious threats for the Federal Government to tackle.
Finally, the NCCIC can use its threat intelligence to guide the development of more secure federal systems. This can include developing cybersecurity best practices, advancing toward Zero Trust Architecture, and speeding up movement to secure cloud services, such as Software as a Service.
The NCCIC can also work with the private sector to develop and deploy enduring “leap-ahead” technologies, strategies, and programs that can increase cybersecurity by orders of magnitude above current systems. It can do this by identifying and communicating common needs for research in these areas and working with the private sector to identify high-risk/high-payoff research activities that would benefit from mutual investment.