When a large-scale cyberattack hits the US, the government and the private sector must have recovery plans in place to share resources and mitigation strategies, according to a Tuesday report from the Foundation for Defense of Democracies (FDD) and the Chertoff Group.
The report detailed a tabletop exercise performed among former senior government officials and private industry leaders, simulating a massive cyberattack that would affect a number of US sectors, while at the same time, the military was deploying forces overseas due to a geopolitical standoff with a peer adversary. As the military tensions escalated, the cyberattacks did as well, the report noted.
SEE: Disaster recovery and business continuity plan (Tech Pro Research)
The simulated attack impacted critical and consumer infrastructure, as well as harmed US military capabilities. It also led to public fear that access to food, health care, and bank accounts would be jeopardized.
“China, Russia, Iran, and North Korea have all demonstrated their intention to use cyber to attack critical infrastructure and private companies across the U.S. economy,” Samantha Ravich, chairman of FDD’s Center on Cyber and Technology Innovation, said in a press release. “The U.S. government and private sector can’t wait until such an attack occurs to prepare. The robust continuity of our economy may hinge on ensuring that the right resources, data, technology, and personnel flow smoothly to assist affected sectors in the aftermath of such a catastrophic event. The time for preparation is now.”
Enterprises must be able to withstand and recover from large-scale cyberattacks as a matter of national security, the report stated. Certain members of the private sector should be pre-cleared so that in the event of an attack, the government can share timely classified information that both groups can take action on, it added.
“Now more than ever, there is a need to review and reshape the specific division of labor and responsibility between government and private sector in addressing cyber-enabled economic warfare events, as the status quo has been outmoded,” Michael Hayden, a Chertoff Group principal, said in the release. “The findings in this report outline critical guidance on some of the steps the public and private sector should implement to build counter-CEEW conditions and build resilience.”
While information sharing between the private sector and the government has improved, the volume and quality of exchanges remain uneven across different industries, the report found. It’s still rare for companies to proactively share cybersecurity threat information with federal agencies, and many companies are not aware of the liability protections in place that would ease the legal constraints on sharing information with the government.
How businesses can work with the government to prepare for a cyberattack
Here are five tips private industry organizations can use to build trust with the government and develop specific procedures to combat cyberattacks from nation states, according to the report:
- Collaborate on a unified approach to strategic early warning on attacks on important infrastructure
- Engage in focused discussions that consider the sensitivity of information that could be potentially requested by the US government during an attack
- Conduct comprehensive business impact analyses on critical business functions and the applications, data, and other IT assets that support those functions
- Ensure business continuity and disaster recovery plans include recovery time objectives and redundancies and work-arounds to sustain critical operations
- Consider, for companies with significant foreign ownership, control, or influence, contingency plans for balancing business objectives with potential CEEW conditions and associated geopolitical tensions