Fostering National Resilience: Insights from Cybersecurity Investors

Resilience is a foundational element of layered cyber deterrence. It denies adversaries benefits by reducing the chances that their attacks can achieve strategic objectives or have strategic consequences.

This pillar focuses on three strategic objectives to enhance the nation's resilience.

STRATEGIC OBJECTIVE #1: UNDERSTAND, ASSESS, AND MANAGE NATIONAL RISK
Owners and operators of critical infrastructure are not always fully aware of the risk they inherit, the risk they own, the risk they pass on, and/or the risk they bear for national security, economic security, and public health and safety. The US needs to create an accurate picture of "national risk" and focus on strengthening the public-private mechanisms for both understanding and mitigating national risk in areas where such mitigation is most critical.

Key Recommendation: Congress should codify responsibilities and ensure sufficient resources for the Cybersecurity and Infrastructure Security Agency (CISA) and sector specific agencies (SSAs) in the identification, assessment, and management of national and sector-specific risk.

While empowering CISA is a critical step in building national resilience, the executive branch must also take steps to strengthen SSAs. National resilience requires that each of these agencies is able to identify, assess, and support the private sector in managing risks within the sector under its charge and to contribute to managing risks at the national level.

However, there are significant imbalances and inconsistencies in both the capacity and the willingness of these agencies to manage sector-specific risks and participate in government-wide efforts. The ability of the federal government to scale up its efforts and advance a deeper collaboration with the private sector on cybersecurity and resilience depends on guiding SSAs to maturity, ensuring their consistency across sectors and fully integrating with national risk management efforts led by CISA.

Enabling Recommendations:

• Establish a Five-Year National Risk Management Cycle Culminating in a Critical Infrastructure Resilience Strategy
• Establish a National Cybersecurity Assistance Fund to Ensure Consistent and Timely Funding for Initiatives That Underpin National Resilience

STRATEGIC OBJECTIVE #2: ENSURE NATIONAL CAPACITY TO RESPOND TO AND RECOVER FROM A SIGNIFICANT CYBER INCIDENT
The US should establish a national capacity to respond to and recover from a significant cyber event, while also providing the government with the authorities necessary to ensure economic continuity and cyber resilience. National resilience requires the nation to be sufficiently prepared to respond and recover from attacks, sustain critical functions under compromised conditions, and even sometimes restart critical functionality after disruption.

Key Recommendation: Congress should direct the executive branch to develop and maintain Continuity of the Economy planning in consultation with the private sector to ensure the continuous operation of critical functions of the economy in the event of a significant cyber disruption.

While the Continuity of Operations and Continuity of Government have been cornerstones of government contingency planning, there is no equivalent effort to ensure the rapid restart and recovery after a major disruption.

In developing the Continuity of Economy plan, the US should focus on maintaining the continuity of national/international-level distribution or exchange of goods and services, on which US economic strength and public confidence are founded.

Disruption of upstream, national level mechanisms in many sectors (including stock exchanges, wholesale payments, medicine, telecommunications) would have cascading effects downstream, creating further failures at regional and local levels, causing shortages that would hamper US response, recovery, and mobilization efforts.

Creating this plan will ensure and demonstrate to adversaries that the US has the wherewithal to respond and remain resilient to a significant cyber attack.

Key Recommendation: Congress should codify a "Cyber State of Distress" tied to a "Cyber Response and Recovery Fund" to ensure sufficient resources and capacity to respond to significant cyber incidents.

Current mechanisms for cyber incident response do not empower federal agencies with additional authority, funding, or resources to respond to or aid non-federal entities even when a "significant cyber incident" designation has been made. The absence of such empowerment remains a key check on the US government's ability to ensure appropriate capacity, support, and organization in its response to cyber incidents.

As a result, Congress should address this shortcoming by passing a law codifying a "Cyber State of Distress" — a federal declaration that would trigger the availability of additional resources through a "Cyber Response and Recovery Fund" — to assist SLTT governments and the private sector beyond what is available through conventional technical assistance and cyber incident response programs.

Enabling Recommendations:

Designate Responsibilities for Cybersecurity Services Under the Defense Production Act

Clarify Liability for Federally Directed Mitigation, Response, and Recovery Efforts

Improve and Expand Planning Capacity and Readiness for Cyber Incident Response and Recovery Efforts

Expand Coordinate Cyber Exercises, Gaming, and Simulation

Establish a Biennial National Cyber Tabletop Exercise

Clarify the Cyber Capabilities and Strengthen the Interoperability of the National Guard

STRATEGIC OBJECTIVE #3: ENSURE THE SECURITY OF OUR ELECTIONS AND RESILIENCE OF OUR DEMOCRACY

The US government should ensure the security of its elections and resilience of democracy because they are an attractive target for malicious actors. The federal institutions charged with protecting the electoral process require organizational reform, enduring funding streams, and modern mandates to ensure that states and other partners in our political system can improve and maintain their cybersecurity capacity. Going beyond elections, the US government must also seek to better understand and counter broader cyber threats targeting the democratic institutions.

Key Recommendation: Congress should improve the structure and enhance funding of the Election Assistance Commission (EAC), enabling it to increase its operational capacity to support states and localities in defense of the digital infrastructure underpinning federal elections — including ensuring the widest possible employment of voter verifiable, auditable, paper-based voting systems.

The American people rely on government institutions, infrastructure, tools, and personnel to provide a fair, open, and safe electoral system in which every vote counts and election results reflect the will of the American voter. The election system's increasing reliance on digital connectivity and data makes it vulnerable to cyberattacks and cyber-enabled information operations such as those seen in 2016, 2018, and likely already in 2020.

Election officials should be resourced with the tools and expertise to develop and rehearse plans for Election Day contingencies. Additionally, there should be enhanced support to the EAC to carry out its mission and streamlined and modernized grant funding for states to improve election systems.

Enabling Recommendation:

Modernize Campaign Regulations to Promote Cybersecurity

Key Recommendation: The US government should promote digital literacy, civics education, and public awareness to build societal resilience to foreign malign cyber-enabled information operations.

The US government must ensure that individual Americans have both the digital literacy tools and the civics education they need to secure their networks and their democracy from cyber-enabled information operations. Ways to do this include promoting digital literacy and modernizing civic education, and evaluating and strengthening efforts to raise public awareness of cyber threats.