New York Cyber Task Force Report Identifies Near-Term Cyber Defense Challenges, Calls for Increased Government and Private Industry Collaboration
A new report prepared by the New York Cyber Task Force examines the leading cyber defense challenges anticipated through 2025 and finds that coordination between government agencies and private business must be revamped in a dramatic way for the United States to be up to the task.
Titled “Enhancing Readiness for National Cyber Defense through Operational Collaboration,” the report finds that public-private coordination to curtail and remediate severe cyber defense crises is a vital leverage point going forward. The report looks at national defense through the lens of emerging technologies and opportunities for threat actors such as the rollout of 5G, expected geopolitical areas of competition and advances in AI and the Internet of Things (IoT).
A potential future face of cyber defense partnerships
The report sees the state of cyber defense changing very rapidly in the next few years due to these various technological developments rolling out and becoming a part of everyday life. Commissioned by the School of International and Public Affairs (SIPA) just after the Covid-19 outbreak in early 2020, the central purpose of the report is to forecast “severe but plausible” threats that are likely to emerge by 2025.
The answer to this variety of emerging cyber defense challenges, at least according to the report, is the concept of “operational collaboration.” Made as simple as possible, this means the forging of new partnerships between government agencies and the private companies that run the internet’s infrastructure and various communications platforms for the purpose of cyber readiness.
That’s a concept that can make people nervous when stated broadly, but the report is careful to specify that these partnerships are meant for response to “severely disruptive” crisis threats. The central proposition is the formation of a new federal agency, the National Cyber Response Network (NCRN), which acts on what it calls National Cyber Crisis Contingencies (NCCC).
So what exactly are these contingencies? The report role-plays four imagined scenarios that serve as examples, all involving US rival nations that pose some sort of threat. One scenario sees Iran attacking US smart devices and the utilities used by forces deployed in support of Saudi Arabia. Another envisions China mounting a disruptive long-term campaign against US logistics using IoT and AI-based attacks. And a third sees North Korea escalating its cybercrime campaigns to directly attack cloud-based services used by US banks. The crisis contingencies addressed by this proposal involve some sort of national-level security threats against critical functions at a scale and duration that is more severe than the average attack.
“Big tech” sums up the private organizations that would be a part of the proposed NCRN. The agency is visualized as a network of nodes that loops in the relevant federal agencies as well as state and local entities and providers of critical infrastructure. The “digital service provider node” is where the private entities come in; the report’s flow chart identifies Amazon AWS, Microsoft, Google and AT&T as specific businesses that would be included. The NCRN’s primary directive would be integrating these disparate organizations and training their response teams to activate and coordinate during an NCCC response. This would include regular collaborative cyber security training and exercises centered on shared playbooks.
Recommendations for cyber defense
Among the handful of specific recommendations in the report that would allow for this new cyber defense network to begin assembling, the third – “Remove legal and procedural barriers to enhance response” – is the one most likely to give people pause. The report is somewhat vague in this area but does call for “emergency collaboration clauses” for the private industry security teams that ” … offer full protection from legal recourse for any information appropriately disclosed to better enable a timely response to a declared NCCC.” It also calls for increased local law enforcement access to federal-level intelligence during cyber attacks.
Another recommendation that could prove contentious and hard to manage, given general public attitudes toward the media and big tech, is “building trust and confidence” by engaging “traditional media organizations and reporters.” This proposal calls for “digital literacy programming” for the general public to identify misinformation, and “mechanisms for the public to flag and report disinformation during a cyber crisis.” The proposal also seeks to “Increase collaboration between governmental communications, traditional media, social media platforms and influencers though crisis co-creation of cyber crisis communications playbooks for media stakeholders and NCRN node operators,” and to ” … ensure that the government and media companies have appropriate active collaborative mechanisms to moderate content with stricter fact-checking, publishing criteria, and warnings of misinformation campaigns.”
The report’s section on “trusted information sources” also provides some interesting reading, addressing the reality that private organizations will be hesitant to transparently collaborate with the same government agencies that are regulating them. The researchers also see the media’s “competing priorities” as a potential barrier to use as an information outlet during a cyber defense crisis.
While the report is peppered with politically and socially contentious proposals, what might ultimately be the biggest barrier to this bold digital transformation is the cost. The report does not name any figures, but the level of cyber defense readiness it calls for would undoubtedly come with a huge bill to public funds in addition to substantially increased costs for various private stakeholders and their vendors.