In the spring of 2020, the second New York Cyber Task Force (NYCTF) was formed under the direction of its Executive Director Greg Rattray, gathering key high-profile members and leading experts to analyze the degree to which the U.S. was ready for future cyber challenges, including political, economic, and technological developments; changing cyber conflict dynamics; and the COVID-19 pandemic.
Now, the NYCTF released its new report, “Enhancing Readiness for National Cyber Defense through Operational Collaboration” with Columbia University’s School of International and Public Affairs (SIPA), revealing U.S. cyber response readiness against national security challenges in cyberspace. In its report, NYCTF envisioned severe, yet plausible, scenarios projected for 2025 to examine how well the nation could defend itself in cyberspace. By looking to the future, the NYCTF shifted away from yesterday’s issues to focus on longer-term enhanced cyber readiness.
The NYCTF experts identified drivers of cyber risk, including geopolitical great power competition, advancements in new technologies like AI and IoT, as well as cyber adversaries leveraging the proliferation of advanced cyber tools.
In its report, the NYCTF details recommendations to create an effective, whole-of-nation approach to enable enhanced cyber readiness through operational collaboration. At their core, these recommendations focus on establishing a public-private network of empowered nodes to provide effective crisis response to strategic cyber contingencies. The NYCTF sees the development of this network as a fundamental step in enhancing cyber readiness.
Erica Borghard – NYCTF Member; Senior Fellow, New American Engagement Initiative, Scowcroft Center for Strategy and Security, Atlantic Council, says, "An important contribution of the New York Cyber Task Force was testing some of the core recommendations of the Cyberspace Solarium Commission, particularly those that focused on public-private collaboration. The fact that the task force's rigorous process validated those recommendations only further reinforces the critical importance of improving how the U.S. government works with the private sector on shared cyber threats. It also demonstrates the urgency of nominating a National Cyber Director and empowering that position to be the focal point within the Federal government for collaboration with the private sector."
The NYCTF experts hope to build on the momentum created by the inclusion of key operational collaboration measures in the recent Solarium Commission Report and the 2021 National Defense Authorization Act (NDAA), as well as actions taken at the state and municipal levels and by the private sector. The United States must undertake a focused, urgent cyber readiness effort through improved operational collaboration now, experts say.
Michael Daniel – NYCTF Member; President & CEO Cyber Threat Alliance, says, "As our society’s digital dependence continues to grow, the cyber threats we face become more dangerous and disruptive too. Responding to these heightened threats requires us to adopt not just new technology but new structures, organizations, relationships, and policies at all levels of government. The New York Cyber Task Force’s second report lays out a clear series of steps to develop those structures and relationships that would measurably improve our cybersecurity as a nation."
To learn more about the report and key findings, Security magazine spoke to Greg Rattray - Executive Director, NYCTF and Co-Founder/Partner, Next Peak.
Security: Which drivers of cyber risk could come together in toxic brews creating shocks to US national infrastructure?
Rattray: Drivers of cyber risk include factors like geopolitical great power competition, advancements in new technologies like artificial intelligence (AI) and the internet of things (IoT), as well as cyber adversaries leveraging the proliferation of advanced cyber tools. These drivers of cyber risk could come together in toxic brews that would create shocks to US national infrastructure. The Task Force took these potential cyber risk drivers to project toxic brew scenarios to the year 2025 in order to identify current gaps in US cyber readiness. For example, as we become more reliant on poorly secured AI and IoT devices in smart cities, China could seek to limit US ability to project power in East Asia by disrupting AI and IoT in critical infrastructure. Another toxic brew example is North Korea increasingly sponsoring the cybercrime underground to launder funds for nuclear weapons development. This could have the impact of raising cybercrime capabilities; rising tensions in the Korean peninsula could result in advanced cloud driven destructive attacks on the financial system.
Security: Has the US overall effectively identified the potential future of severe, but plausible cybersecurity threats? What’s missing from the cyber response system and what can be done to improve national cyber readiness?
Rattray: In cyber, the US has been playing kids soccer – chasing the last breach and incident – instead of proactively planning and preparing for national security challenges. As a case in point, the SolarWinds incident should not have surprised us. Our technology ecosystem is inherently permissive of deeply intrusive and disruptive attacks, and intelligence services have taken advantage of this for a long time. We need to look ahead now to know what games we need to be prepared for in the future, make a game plan and practice hard.
The US has not identified the severe, but plausible challenges worthy of planning and capacity investment and has not enabled a focal point for coordinating the national readiness effort. In addition, we have to acknowledge that because the private sector – both in the technology industry and in critical infrastructure – are at the front line for the impacts and responses to cyber challenges, they have to be engaged as national security partners with the government.
Security: Where to look now to ensure a cybersecurity response that is ready to withstand national security attacks?
Rattray: Improving cyber readiness must be a whole of nation effort. What the task force puts forward, the concept of operational collaboration, entails deep organizational partnerships between the private and public sectors. This will allow them to jointly conduct coordinated cyber defense actions through highly synchronized operations, as well as develop joint cyber capabilities to respond to adverse cyber events. At the end of the day, while developing secure technology and systems is extremely important, these private-public processes, organizations and relationships are the last line of defense when technology and critical systems fail. We need to invest in these processes today in order to build trust and joint capabilities so that we are ready for potential national security level cyber challenges.
For the report, including scenarios tested, please visit http://www.sipa.columbia.edu/ideas-lab/techpolicy/readiness-operational-collaboration