The results of a tabletop exercise on cyber-enabled economic warfare find that when a large-scale destructive cyberattack occurs, the United States and the private sector must already have in place the resources and methods to share information in order to mitigate the attack and recover from it quickly, according to a joint report by the Foundation for Defense of Democracies (FDD) and The Chertoff Group.
The exercise, which featured former senior government officials and private industry leaders, simulated a massive cyberattack affecting various U.S. lifeline sectors at the same time that the U.S. military was deploying substantial forces to an overseas theater due to a geopolitical standoff with a peer adversary. As military tensions escalated, the cyberattacks did as well.
There were cascading impacts on consumer and critical infrastructure, degrading military capabilities and stoking public fear that access to food, health care, and bank accounts may be jeopardized.
“China, Russia, Iran, and North Korea have all demonstrated their intention to use cyber to attack critical infrastructure and private companies across the U.S. economy,” said Samantha Ravich, chairman of FDD’s Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab and the principal investigator on FDD’s Cyber-Enabled Economic Warfare project. “The U.S. government and private sector can’t wait until such an attack occurs to prepare. The robust continuity of our economy may hinge on ensuring that the right resources, data, technology, and personnel flow smoothly to assist affected sectors in the aftermath of such a catastrophic event. The time for preparation is now.”
The new report, “U.S. Government and Private Industry Must Prepare for Cyber-Enabled Economic Warfare Escalations,” explains that “U.S. national security and prosperity require resilient enterprises that are capable of withstanding and rapidly recovering from a significant cyber event. This requires pre-clearing select members of the private sector so that the government can share timely, classified, actionable information.”
“Now more than ever, there is a need to review and reshape the specific division of labor and responsibility between government and private sector in addressing cyber-enabled economic warfare events, as the status quo has been outmoded,” said General (ret.) Michael Hayden, a Chertoff Group principal and exercise participant. “The findings in this report outline critical guidance on some of the steps the public and private sector should implement to build counter-CEEW conditions and build resilience.”
The exercise revealed that while sector-specific and cross-sector information sharing has improved, the volume and quality of exchanges remains uneven across industries. Critically, “relatively few companies outside select sectors are proactively sharing cybersecurity threat information with federal entities,” and many companies are unaware of liability protections already in place to ease legal constraints on sharing information with the government.