Investing in Federal Cyber Resilience
The "Innovation for Resilience: A New Framework for Security" series is a new project from the Center for Strategic and International Studies (CSIS). This initiative is a partnership between CSIS's Diversity and Leadership in International Affairs Program, Energy Security and Climate Change Program, International Security Program, and Strategic Technologies Program.
On December 23, 2015, Russia knocked out power for 250,000 customers in Ukraine. The hackers had taken over the control systems for several electricity plants and remotely shut down the transmission of energy. Power was restored in six hours. Ukrainians found workers who knew where the breakers were physically located along the grid. They got in trucks, drove to those locations, and manually put the breakers back in place. Manual backups to the remote operation, and workers who understood those manual systems, provided resilience that kept this cyberattack from becoming a major disaster.
According to one definition from the National Institute of Standards and Technology (NIST), cyber resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” The more resilient an agency or department, the greater its ability to bounce back after a cyber incident or maintain mission-essential functions in a degraded environment. The Cyberspace Solarium Commission, which highlighted resilience as one of six foundational pillars in its final report, further emphasized that cyber resilience is about recovering from attacks that “could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior.” Resilience denies an adversary the benefits they seek, potentially altering their cost-benefit analysis. For a municipality or business, resilience in the face of a ransomware attack provides more time and more options in deciding how to respond to attacker demands. Systemic resilience across the economy makes the United States more secure, and the federal government can contribute to resilience in each of these contexts.
Cyber Resilience and Cyber Risk Management
Cyber security is an exercise in risk management, not risk elimination. Managing risk depends on assessing (1) incidents that would have the greatest impact or consequences (e.g., on key functions, operations, or reputation) and (2) the likelihood of that incident happening. Likelihood is a factor of threat (i.e., who or what is coming at you) and vulnerability (i.e., the conditions that a threat might exploit). Much of the conversation around cybersecurity focuses on threats and vulnerability. Focusing on understanding and mitigating the potential consequences of malicious cyber activity is at least as—if not more—important and is the key to building resilience. Cyber threats and vulnerabilities are constantly changing and predicting future threat vectors is nearly impossible. Effective resilience, particularly reducing total dependence on networked functions, can mitigate damage regardless of the cause of disruption.
Organizing toward Resilience: Federal Government Structures
Over the last several administrations, organizational structures have evolved to reflect the need to understand and build resilience against the impact of cyber incidents as an essential element of managing cyber risk.
To provide White House-level guidance and ensure coherence in approaches across the various agencies and departments with responsibilities for helping to manage cyber risk, the Office of the National Cyber Director (ONCD), an office initially proposed by the congressionally mandated Cyberspace Solarium Commission, was established in 2021. As part of its stated vision, the ONCD is working to “[increase] present and future resilience.” The former director, Chris Inglis, who stepped down earlier this week, describes his role as the coach, and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as the quarterback.
In 2014, DHS brought together cyber and physical risk analysts to strengthen its understanding of interdependencies and cascading consequences from disruptions in critical infrastructure, including from malicious cyber activity. This led to ongoing work by the National Risk Management Center (NRMC) to identify and map national critical functions (NCFs). CISA has defined these as functions that are so vital that “their disruption, corruption, or dysfunction would have a debilitating effect” on U.S. security. Through the NRMC, public and private entities can coordinate and prioritize different response imperatives around the identified NCFs.
CISA is particularly well suited to conduct this analysis for two key reasons. First, it is responsible for coordinating across all infrastructure sectors, which enables it to assess risks not just within a sector but also to recognize and work to address cross-sector dependencies. Second, CISA leads efforts, in collaboration with sector risk management agencies and critical infrastructure owners and operators, to assess and address physical and cyber risks, as well as the convergence of these risks. Its work over two decades to model and mitigate physical consequences informs efforts to understand the full impact of cyber disruption.
Another crucial source of insights into consequences is after-action reviews of actual incidents. This is why CISA’s Cyber Safety Review Board is such an important part of building resilience. This joint public/private effort to fully understand significant incidents can provide important lessons, assuming their insights are heeded and actions to address identified gaps are forthcoming.
The effort to understand the real-world consequences of incidents relies on insights from those with a deep expertise in the critical functions at issue. It requires understanding the operations that are controlled by or are otherwise dependent on networked systems. It also requires understanding the regulatory and policy environment that may impact options for response. This expertise comes from the infrastructure sectors themselves and from the departments and agencies that have worked with those sectors for many years. This is the thinking behind designating Sector Risk Management Agencies such as the Department of the Treasury and the Department of Energy (DOE) as the leads for their respective sectors. Broader regulatory agencies like the Securities and Exchange Commission and the Federal Trade Commission can also use authorities to incentivize resilience. For example, accurate financial accounting depends on data integrity, and consumer protection can include oversight of breaches that impact the public. Even antitrust oversight can potentially play a role in addressing risk concentration.
To help ensure long-term resilience, the federal government should continue to strengthen the capabilities of key agencies and the coordinating functions of CISA and ONCD, and resist calls for a standalone department that attempts to centralize cyber expertise in a single agency. Implementing such a move would be extremely difficult bureaucratically and is likely to undermine efforts at comprehensively addressing cyber risk, including building resilience, by narrowing cybersecurity to a focus on technology rather than enterprise risk management that includes continuity planning based on consequence expertise.
Investing in Resilient Infrastructure
The federal government, as a given, needs to invest more in resilient infrastructure. Congress appropriated funds for a Cyber Response and Recovery Fund created by the Infrastructure Investment and Jobs Act (IIJA) but missed the opportunity to require that the broader funding for infrastructure projects include specific resilience measures. Cyber resiliency experts need an equitable seat at the table to drive informed cyber resiliency decisions in project development and planning, and risk informed trades in project execution.
Congress also needs to provide consistent funding year after year to support measures that strengthen resilience and be willing to appropriate greater funds to the departments and agencies that are growing their cyber portfolios for preparedness and resilience.
CISA has received significant increases in funding in recent years, with a roughly 25 percent budget increase between FY 2020 and FY 2022. The FY 2023 Omnibus spending bill allocates $2.9 billion for CISA—an increase of 12 percent from FY 2022. Additionally, Congress appropriated up to $20 million for the Cyber Testing for Resilient Industrial Control Systems program at the DOE. However, essential agencies such as the NIST and the Department of the Treasury have not received a sufficient bump commensurate with their role. Given that these agencies require a highly specialized workforce, the lack of adequate funding could lead to losses in that workforce in the near future.
Investing in Process
Per the Executive Order on Improving the Nation’s Cybersecurity, federal agencies will be required to strengthen cyber postures by transitioning to zero-trust architectures (ZTA)—a security philosophy that adopts the approach of “never trust, always verify.” This approach is inherently about resilience, assuming access by a bad actor and limiting the blast radius of an attack, instead of reducing perimeter vulnerabilities. The test for departments and agencies will be if their proposed ZTA plans evaluate how processes, not just technologies, can be strengthened to enhance resilience. This will be especially important in the face of implementation time and budget constraints.
There is currently a misconception that investing in resilience is expensive and rarely yields near-term benefits. That is not always the case. Although there could be an expensive solution for hardening a network, a cheaper alternative might be to install detection tools or identify ways to disconnect key elements from the network. Similarly, there might be nontechnical, cost-effective solutions that should be identified and supported ahead of time as a part of comprehensive resilience planning, such as putting in a hand crank to permit operations to continue or providing paper ballots to mitigate the prospect that a hack—or alleged hack—could undermine trust in an election.
Making trade-offs that prioritize mitigating consequences, in addition to or as an alternative to investing in measures to address vulnerabilities, requires the federal government to continuously evaluate what it means to be secure and what it takes to sufficiently recover from a cyber incident. This will vary across agencies and missions. For example, the defense and intelligence communities’ cybersecurity mission requirements may require different risk management approaches when trying to protect particularly sensitive mission data.
Enhancing Intergovernmental and Public-Private Partnerships
The federal government should work effectively with the private sector, as well as state and local governments and quasi-governmental entities, in order to build cyber resilience, especially considering that most critical infrastructure is currently owned and operated by the private sector or municipalities. This requires the government to play a role as a convenor, facilitator, and supporter for these stakeholders. CISA’s Joint Cyber Defense Collaborative (JCDC) importantly moves collaboration from information sharing to operational collaboration. Congress should authorize the next crucial step in this collaboration, establishing a Joint Collaborative Environment, to ensure joint public/private analytic rigor supporting operations.
As noted above, assessing and prioritizing consequences to critical infrastructure requires insights from businesses, particularly when trying to understand the full impact of a cyber incident. Yet the private sector is often reluctant to share information on the impact of cyberattacks due to concerns about optics, potential liability and regulatory action, and implications for their bottom line. There are also lingering concerns about the government’s ability to protect their information, despite the government’s excellent track record of doing so. Companies view these costs as outweighing the expected benefits. Governments are challenged to provide actionable, real-time information back to companies. It is incumbent on the government to demonstrate the value of robust information sharing.
The recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) moves beyond a voluntary information-sharing approach and tasks CISA with developing regulations for cyber incident reporting. Creating an aggregated data set of incidents will help the government better assess the nature, scale, scope, and costs of cyber risks, as well as the return on investment in cyber resilience. To maintain essential trust with the private sector, and encourage broader sharing on consequences and resilience, CISA—or some other federal entity—should prioritize efforts to use the data collected under CIRCIA to produce timely and actionable products back to the private sector. Congress should provide adequate funding for that analytic work.
The importance of emergency simulation exercises cannot be emphasized enough. Not only are they critical to establishing muscle memory for how to quickly respond during an incident, but they also help participating individuals identify potential cascading effects and assess where there needs to be greater redundancy built into continuity plans. Individual entities should exercise their response plans, but joint public-private exercises are also important for effective resilience. A good example is the Treasury Department’s Hamilton Series cyber exercises done in partnership with the Financial Services Information Sharing and Analysis Center (F-ISAC). Similarly, the North American Electric Reliability Corporation’s Electricity ISAC (E-ISAC) biennially holds GridEx, the largest grid security and resilience exercise in North America. CISA hosts Cyber Storm, a biennial exercise that simulates a large cyber incident that impacts multiple sectors. These should be models for other sectors and their sector risk management agencies. In addition, national-level exercises should be reinvigorated to include the most senior levels of government and include a focus on continuity of the economy. These exercises should aim to make effective use of data and technology to create realistic scenarios, improve the exercise experience, and employ performance metrics to understand effectiveness within and between exercise events.
Managing the Workforce
In response to Russia’s invasion of Ukraine, CISA activated Shields Up, a campaign outlining the ways in which primarily nongovernmental entities should maintain vigilance during heightened geopolitical tensions. CISA continues to report that the threat level remains high, which prompts questions about how long nongovernmental entities will be able to maintain a “crisis” posture. This concern extends to the federal government as well. A key concern is burnout of those accountable for staying vigilant against cyber risk. This highlights a critical piece of enhancing cyber resilience: to continue operations at high levels through a prolonged crisis, it is essential to invest in a resilient federal workforce, and, especially in this context, a fully staffed and prepared cyber workforce.
As of July 2022, there are roughly 700,000 open cybersecurity positions in the United States, roughly 40,000 of which are within the federal government. Further, the current cyber workforce skews white and male, leaving women and people of color drastically underrepresented, and largely includes individuals that share similar education and professional experiences. Enhancing workforce resilience with a particular emphasis on diversity, equity, and inclusion is essential to not only ensure that top talent is recruited to flexibly address today’s cyber challenges, but to also make sure talent is retained over time.
At every level there is room for the federal government to invest in and remove barriers to hiring and retaining technical and nontechnical cyber talent. From tapping into diverse viewpoints to identify and assess unique cyber risks, to calling up reserve forces that can support an already understaffed and potentially fatigued cyber workforce, the federal government cannot afford to sideline significant parts of the population. Instead, it should work to remove barriers, from accessibility barriers to unnecessary certificate, education, and clearance requirements that can be time intensive or financially difficult to obtain. The DHS Cybersecurity Talent Management System (CTMS), which was launched in 2021, takes a step in the right direction by addressing some of the key issues related to hiring and attracting top cyber talent. It will be important to assess CTMS’s successes in the coming years to see where there are still gaps in the talent management process and if there are best practices that can be scaled across industries.
Finally, as the federal government helps build the pipeline for cyber talent by supporting STEM education in K-12 and higher education, the government also should promote the development of civic skills and knowledge. Only by instilling a sense of civic responsibility can the United States hope to have a workforce that fully embraces cybersecurity as a shared responsibility.
Building toward True Cyber Resilience: Recommendations and Next Steps
Though there are agency-specific recommendations that the federal government can consider in order to enhance institutional cyber resilience over time, there are three key areas where the federal government as a whole should prioritize its efforts. First, the federal government should treat cybersecurity as an exercise in risk management, not risk elimination, and develop and prioritize response plans accordingly. Second, the federal government needs to urgently invest time and energy into developing a more resilient cyber workforce that is fully staffed and more diverse the federal level and promote initiatives that will also help develop the private sector cyber workforce, given the nature of today’s cyber incidents. Finally, department and agency heads should spearhead a process to tie planning to consequence analysis and involve non-IT professionals in the planning and exercises.
Suzanne Spaulding is senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Devi Nair is an associate director and associate fellow with the CSIS International Security Program. Sophia Barkoff is a former research intern with the CSIS International Security Program.
This commentary draws from independent research and an expert roundtable that took place on September 26, 2022. This project is made possible by the generous support of the Deloitte Consulting LLP.