GOP Rep: Government, Private Sector Must Plan for Big AttackFederal Agencies, Businesses Must Go Beyond Info Sharing, Prepare for Cyberattack
U.S. government agencies and the private sector have embraced information sharing but both sectors lack a coordinated response plan in the event of a massive cyberattack, a leading House Republican said Thursday.
"We need to develop these partnerships to actually be ready for a major cyberattack," said Rep. Andrew Garbarino, R-N.Y. "I don't think we're ready right now. I think we can get things back up and running, but you don't want to wait for the cyberattack to happen to have your first meeting. These companies have test runs all the time to make sure they know what happens. We should be doing that too."
Public-private partnerships are essential because 80% of U.S. critical infrastructure is owned by the private sector, meaning government employees likely wouldn't be the ones restoring the systems after an attack, said Garbarino, who chairs the House Subcommittee on Cybersecurity and Infrastructure Protection. He spoke with Punchbowl News on Thursday about security oversight and workforce issues (see: Cyber Experts Urge House Committee to Avoid Federal Shutdown).
"What happens when the banking sector, the transportation sector, the healthcare sector, and the energy sector all shut down because of a major cyberattack? What do we do first? Who's in charge? Who's the leader in the banking sector the government is coordinating with?" Garbarino asked. "Right now, we don't have that plan."
Is CISA in the Driver's Seat?
Congress has "rightfully" given the Cybersecurity and Infrastructure Security Agency a lot of money and power in recent years, Garbarino said, and he added that he wishes the Biden administration would let CISA Director Jen Easterly be more of a leader publicly. Garbarino said his subcommittee is responsible for ensuring that CISA has the ability and the assets to do the work that Congress has given the agency the authority to do.
"If there was a big cyberattack tomorrow, I don't know who the administration would put up as, 'Okay, this is the go-to person,'" Garbarino said. "It's a little bit of a mess over there right now."
A CISA spokesperson told Information Security Media Group the agency works with both public and private sector partners to drive collective action and ensure the nation is prepared for significant cyber incidents. This includes working collectively to synchronize cyber defense planning and operations as well as offering technical expertise and incident response support to compromised organizations.
“We are also leading a process to update the National Cyber Incident Response Plan to strengthen processes, procedures, and systems to ensure a coherent and integrated federal government response to significant cyber incidents," the spokesperson told ISMG.
Initiatives such as the Defense Department's Cyber Training Academy can significantly reduce the cyber skills gap in the federal government, but Garbarino said most of the 500,000 cyber job openings are in the private sector, which is responsible for securing most of the country's critical infrastructure.
"The biggest threat that we have to our nation right now when it comes to cybersecurity is the lack of workforce," Garbarino said. "The development of a Double-A or Triple-A team to take these jobs is something that we really need to focus on."
Fear of Excess Fragmentation
The fragmentation of cyber responsibilities at the local level is one of the top impediments to security readiness since villages, towns, cities and even counties often don't have the money to hire their own chief information security officer, Garbarino said. The situation is worse for critical infrastructure, he said, adding that Nassau County, New York, has 30 separate entities each responsible for an individual water facility (see: US Passes Law Requiring Better Cybercrime Data Collection).
"When you're not JPMorgan Chase and able to spend $1 billion on this and $500,000 on that, you need to get help from somewhere else," Garbarino said. "A lot of these municipalities need our help to do it."
Foreign nations from the United Kingdom to the Netherlands and Estonia have pursued cybersecurity partnerships with the U.S. in hopes of benefiting from information sharing, Garbarino said. In addition to strong U.S. offensive cybersecurity capabilities, other nations realize they would benefit from being privy to the latest cybersecurity communications between the U.S. government and the U.S. private sector.
"For us, it's good to have partnerships with these guys because Estonia might be the front line," Garbarino said. "They're the ones who might be getting tested out on first. Russia might say, 'Well, let me see if this works on Estonia, and if it does, I'm going to try it out on the U.S. Making sure we have a partnership with them is good for us too because they can also provide us information."
Updated Oct. 20, 2023 00:20 UTC: Adds comments from CISA.