Former Senior Government Officials, Private Industry Leaders Participate in Simulated Attack That Exposes Major National Security Gap
(Washington, D.C., February 5, 2019) – The results of a tabletop exercise on cyber-enabled economic warfare find that when a large-scale destructive cyberattack occurs, the United States and the private sector must already have in place the resources and methods to share information in order to mitigate the attack and recover from it quickly, according to a joint report issued today by the Foundation for Defense of Democracies (FDD) and The Chertoff Group.
The exercise, which featured former senior government officials and private industry leaders, simulated a massive cyberattack affecting various U.S. lifeline sectors at the same time that the U.S. military was deploying substantial forces to an overseas theater due to a geopolitical standoff with a peer adversary. As military tensions escalated, the cyberattacks did as well. There were cascading impacts on critical and consumer infrastructure, degrading military capabilities and stoking public fear that access to food, health care, and bank accounts may be jeopardized.
“China, Russia, Iran, and North Korea have all demonstrated their intention to use cyber to attack critical infrastructure and private companies across the U.S. economy,” said Samantha Ravich, chairman of FDD’s Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab and the principal investigator on FDD’s Cyber-Enabled Economic Warfare project. “The U.S. government and private sector can’t wait until such an attack occurs to prepare. The robust continuity of our economy may hinge on ensuring that the right resources, data, technology, and personnel flow smoothly to assist affected sectors in the aftermath of such a catastrophic event. The time for preparation is now.”
The new report, “U.S. Government and Private Industry Must Prepare for Cyber-Enabled Economic Warfare Escalations,” explains that “U.S. national security and prosperity require resilient enterprises that are capable of withstanding and rapidly recovering from a significant cyber event. This requires pre-clearing select members of the private sector so that the government can share timely, classified, actionable information.”
“Now more than ever, there is a need to review and reshape the specific division of labor and responsibility between government and private sector in addressing cyber-enabled economic warfare events, as the status quo has been outmoded,” said General (ret.) Michael Hayden, a Chertoff Group principal and exercise participant. “The findings in this report outline critical guidance on some of the steps the public and private sector should implement to build counter-CEEW conditions and build resilience.”
The exercise revealed that while sector-specific and cross-sector information sharing has improved, the volume and quality of exchanges remains uneven across industries. Critically, “relatively few companies outside select sectors are proactively sharing cybersecurity threat information with federal entities,” and many companies are unaware of liability protections already in place to ease legal constraints on sharing information with the government.
The report provides more than 20 recommendations for the U.S. government and private industry to build trust and develop specific procedures for cyber-enabled economic warfare attacks.
The Foundation for Defense of Democracies (FDD) is a Washington, DC-based non-partisan policy institute focusing on national security and foreign policy. Visit our website at fdd.org and connect with us on Twitter, Facebook, and YouTube.
About The Chertoff Group:
The Chertoff Group is a global advisory services firm that applies security expertise, technology insights and policy intelligence to help clients build resilient organizations, gain competitive advantage and accelerate growth. Through its investment banking subsidiary Chertoff Capital, the firm provides M&A advisory services in global security markets and assists cyber and tech-enabled security companies raise capital to grow their enterprise.