Recommendations Made by NIAC

NIAC Securing Cyber Assets – Final Report

The National Infrastructure Advisory Council (NIAC) is a body comprising senior executives from state and local governments and industry. These executives own and operate critical infrastructure that is necessary to modern life. It was established in October 2001 by an executive order from the President to advise on practical strategies that would help the government and industry to lessen complex risks to the selected critical infrastructure sectors (The President’s National Infrastructure Advisory Council, 2017). As part of fulfilling its mandate, NIAC carries out extensive studies and interviews on what needs to be done to secure critical infrastructure in the country against targeted and aggressive cyberattacks. After conducting the studies, the council provides a series of recommendations that can be adopted by the government and industry. This paper examines one of the recommendations provided by NIAC in terms of its implementation by the government and/or the private sector.

NIAC’s Recommendations

As previously indicated, NIAC provides a series of recommendations that can be implemented by the public and/or private sector to help secure the United States critical infrastructure. The recommendations provided by this council are based on the findings of extensive studies and reviews incorporating different cyber and industry experts. The recommendations are geared toward ensuring the U.S. government and the private sector collectively have adequate resources and capabilities to protect critical infrastructure systems against aggressive and targeted cyberattacks. In this regard, these recommendations focus on ensuring these cyber capabilities and resources are properly arranged, harnessed, and focused.

Since the recommendations seek to enhance cybersecurity in the country, it requires participation by the government and the industry. NIAC considers public-private partnership as a critical factor toward protecting the nation against targeted and aggressive cyberattacks. A partnership between the government and the private sector would enable the country to leverage its current cyber resources and improve protection. Such partnerships would also help strengthen the capabilities of the modern cyber workforce in dealing with potential cyberattacks. In essence, the need for private sector involvement in efforts to protect the country against cyberattacks is based on the principle of collaboration. Since cyberspace is a cross-cutting challenge, the government should collaborate with private sector organizations to enhance the security of cyberspace and help protect the nation’s critical infrastructure systems.

Review of the Chosen Recommendation

One of the 11 recommendations made by NIAC to help enhance the protection of U.S. critical cyber infrastructure is strengthening the capabilities of the existing cyber workforce through the establishment of a public-private expert exchange program (The President’s National Infrastructure Advisory Council, 2017). This recommendation required action from Congress, the U.S. Department of Homeland Security, and the National Security Council.

Sponsoring a public-private expert exchange program is a recommendation made by NIAC based on the principle of collaboration and public-private partnerships. Public-private partnerships are generally viewed as collaborative agreements involving entities from the public and private sectors (Hadley, 2019). Such partnerships are common in the United States as they are primarily used for infrastructure development and are usually long-term in nature. Given the cross-cutting nature of cyberspace, the formation of public-private partnerships is critical to enhancing the nation’s critical cyber infrastructure. NIAC believes that the creation of an exchange program between public and private sector entities would help enhance the capabilities of cyber workforce in the government and the private sector.

An exchange program would provide the most suitable way to address the perceived shortage of cybersecurity experience across the public and private sectors. Through such a program, private sector cybersecurity workforce would enhance their expertise and experience by learning from their public sector counterparts. In addition, the program would provide a means for the adoption of innovative approaches in preventing and dealing with targeted and aggressive cyberattacks. By enhancing the expertise and experience of the cyber workforce, the program would play a critical role in ensuring they possess the necessary skills and abilities to protect cyber infrastructure across the country.

Key Decisions to Secure this Cyber Asset Area

As previously indicated, the responsibility of implementing this recommendation is on the National Security Council, the U.S. Department of Homeland Security, and Congress. Congress has taken a cue from the NIAC and started working on the establishment of a public-private expert exchange program to strengthen today’s cyber workforce. The effort by Congress is evident in the creation of a bipartisan bill to develop an exchange program between the federal government and private organizations. The bipartisan bill was developed by Senator Amy Klobuchar (D-Minnesota) and Senator John Thune (R-South Dakota).

These senators developed the Cyber Security Exchange Act with the aim of bringing more cybersecurity expertise to the federal workforce (Thomsen, 2019). Based on the provision of this Act, cyber experts at private entities or academia would be given the opportunity to work for federal agencies for a period of up to two years. On the other hand, federal cyber workers would be given the opportunity to work in the private sector to enhance their knowledge in cybersecurity practices. The creation of the exchange program is fueled by the need for additional cyber security experts to ensure the United States is not susceptible to cyberattacks from criminals and adversaries. In addition, the establishment of this piece of legislation would help ensure that federal agencies could tap into the vast cybersecurity resources in the private sector and academia to enhance the nation’s cyber capabilities. These lawmakers drafted the bill following the identified gaps in the cybersecurity workforce and in line with the recommendations made by NIAC. However, the bill is still in its formative stages but represents a critical step made by Congress to implement one of the recommendations made by NIAC. The bill has been read twice in the Senate and currently referred to the Committee on Homeland Security and Governmental Affairs.

The U.S. Department of Homeland Security has also taken the lead in implementing this recommendation as part of its private sector engagement program. The department has established a public-private analytic exchange program (AEP) in which public and private sector cybersecurity experts are paired up to create unclassified analytic deliverables within a 6-month period. It acts as an annual exchange program that brings together intelligence community personnel from the federal government and the private sector. It has played a critical part in enabling government and private sector analysts to obtain a greater understanding of their unique missions and collaborate on issues of mutual interest (Office of Intelligence and Analysis, 2020).

Improving the Situation

As evident in the analysis, some of the key stakeholders charged with the responsibility of implementing this recommendation have made some steps in execution. However, these steps are still minimal and fail to expedite the implementation process of the recommendation. This comes at a time when gaps in the cybersecurity workforce continue to affect measures to enhance the protection of the nation’s critical cyber infrastructure. Therefore, these stakeholders need to undertake further measures in implementing this recommendation by NIAC. First, the National Security Council (NSC) needs to provide a roadmap on the creation of the public-private expert exchange program. While NSC is one of the major stakeholders who would play a major role in implementing the program, it is yet to take any action. Action from this agency would help prioritize federal action toward expanding cyber workforce programs as recommended by NIAC (The President’s National Infrastructure Advisory Council, 2017).

Secondly, Congress should go beyond the establishment of necessary legislation and focus on the specific suggestions provided by NIAC on this issue. Apart from enacting legislation, Congress should consider expanding scholarship-for-service programs that focus on attracting future cyber workforce. This would be critical toward addressing the current gaps in cybersecurity workforce and help to expand existing cyber workforce programs. For the Department of Homeland Security, clearances for students in college-level cybersecurity programs would be critical to expediting access to qualified cybersecurity personnel. The current measures adopted by this department primarily focus on intelligence gathering and sharing between public and private sector entities. However, there is a need for the department to prioritize actions that would help in expediting access to qualified personnel in cybersecurity.