The White House is reviewing a proposal to create a council of CEOs from critical infrastructure industries to jointly plan for cyber or physical attacks or natural disasters that cut across their sectors.
Under the plan, senior executives from the energy, transportation, telecommunications, water and financial services industries would meet regularly with federal agency leaders to create coordinated defense and response plans for natural emergencies such as Superstorm Sandy or a widespread cyber or physical attack that hit multiple sectors.
The proposal to create a Strategic Infrastructure Executive Council was sent to the White House in March by the National Infrastructure Advisory Council (NIAC), a federally appointed panel. A senior administration official said the National Security Council received the NIAC report earlier this week and is currently reviewing it.
The NIAC report warned that "the pace of growth of threats, whether man-made or natural, and their potential catastrophic consequences, create a sense of increased urgency." How well critical infrastructure industries coordinate with each other will determine how quickly the communities they serve can "bounce back" from catastrophes, the report said.
The executive council would set priorities for collaboration among industry sectors on critical security issues, identify obstacles, and develop strategies and policies for meeting those challenges.
"This is important and very timely," said Paul Stockton, managing director of Sonecon, an economic policy and security consulting firm, and former assistant secretary of Defense for homeland defense and security. "There are cross-sector interdependencies that need to be addressed," particularly for recovery operations after a disaster, he said.
"We learned in Sandy that to get electricity back and running it was very important to address issues in other sectors," Stockton said. The loss of electric power shut down gasoline stations and disrupted communication, and flooding destruction to highways threw roadblocks in front of grid repair crews.
A primary issue was not just the destruction of cellular towers in the storm, but the loss of electric power for communications facilities generally, and a shortage of backup power, the NIAC report said. In some cases, emergency generators in New York were stashed in basements that flooded.
"Some of that collaboration is already going on today," Stockton said, including sharing of plans and cybersecurity threats. "Much more can be done, including sharing of best practices, how to get data out in a timely fashion and how to build trust relationships," he said.
"I believe there is a risk that adversaries could attack the U.S. through cyber and perhaps cyber and physical attacks in a cross-sector campaign. Instead of attacking only one — electricity or water and wastewater services, for example — an adversary might attack multiple sectors simultaneously," he said. The proposed CEO group could help prepare for combined attacks, he said.
The NIAC strategy is modeled after the Electricity Sub-Sector Coordinating Council, a group of 30 utility CEOs and trade association executives that meets three times a year with senior federal law enforcement and security officials to share classified high-level information about threats and to review defensive strategies. The presence of chief executives can produce fast results on critical issues, NIAC said.
The NIAC report noted the ESCC’s role in mounting a defense against the Heartbleed cyber vulnerability, discovered in April 2014. A coding error in a widely used software encryption program could allow attackers to gather up encrypted passwords, instant messages and emails, and other data in computer memories.
The discovery of the Heartbleed gap was announced at a White House meeting, and federal agencies were directed to alert industries they work with. ESCC spread the warning to electric power companies, said Scott Aaronson, senior director for national security policy at the Edison Electric Institute.