"Our nation's Internet and cyber infrastructure serve as a critical backbone for the exchange of information vital to our security and our economy, but our analysis has exposed a significant weakness that could paralyze the economy following a disaster," said Edward B. Rust Jr., Chairman and CEO, State Farm Insurance Companies and head of the Roundtable Security Task Force's working group on cyber security.
"If there's a cyber disaster, there is no emergency number to call -- and no one in place to respond because our nation simply doesn't have the kind of coordinated plan in place that we need to restart and restore the Internet," Rust added. "Government and industry must work together to beef up our cyber-security and recovery efforts."
The report -- Essential Steps Toward Strengthening America's Cyber Terrorism Preparedness -- is the culmination of a year's work by top businesses led by the Roundtable, an association of 160 CEOs of the nation's leading companies. Identifying ways to harden the Internet has been one of the main priorities of the Roundtable's Security Task Force because a properly functioning Internet is essential to the continuity of the nation's economy.
The report identifies cyber shortfalls similar to the disaster response problems that occurred following Hurricane Katrina, highlighting three significant gaps in response plans to restore the Internet:
- Inadequate Early Warning System The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.
- Unclear and Overlapping Responsibilities -- Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.
- Insufficient Resources -- Existing organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)'s funding is targeted for support of cyber recovery.
"If our nation is hit by a cyber Katrina that wipes out large parts of the Internet, there is no coordinated plan in place to restart and restore the Internet," said John J. Castellani, President of the Roundtable. "A cyber disaster could have immediate and nationwide consequences to our nation's security and economy, and we need to be better prepared. That's why advance copies of this report have been given to the Department of Homeland Security and Congressional leaders."
Recommendations Made for Government and Businesses to Detect and Respond to Cyber Disruptions
The report offers recommendations for government and business to improve identification and assessment of cyber disruptions, to coordinate responsibilities for Internet reconstitution, and to make needed investments in institutions with critical roles in Internet recovery.
Response and recovery to a cyber disaster will be different from natural disasters such as Hurricane Katrina, when the federal government had the leading role. Industry must undertake principal responsibility following an incident for reconstituting the communications infrastructure, including telephone, Internet and broadcast, the Roundtable report stated.
The Roundtable called on the federal government to establish clearer roles and responsibilities, fund long-term programs, and ensure that national response plans treat major Internet disruptions as serious national problems. For example, while the Administration says that it has authority to declare a cyber emergency and will consult with business leaders, the report notes it is
-
not clear how this consultation will occur or what the factors are for declaring an emergency.
Recommendations for the private sector include urging companies to designate a point person for cyber recovery, update their strategic plans to prepare for a widespread Internet outage and the impact on movement of goods and services, and set priorities for restoring Internet service and corporate communications.
However, the Roundtable noted that the best preparedness for recovering from a cyber disaster will require government and the private sector to work together.
In one specific recommendation for public-private collaboration, the Roundtable urged creation of a federally-funded panel of experts who would assist in developing plans for restoring Internet services in the event of a massive disruption. In addition, the report suggests that the Department of Homeland Security and industry conduct large-scale cyber emergency exercises, with lessons learned integrated into programs and procedures.
"We need a national response to this challenge, not separate business and government responses -- and that means better collaboration," Castellani said. "Most important, we must start immediately. Because of the widespread consequences of a massive cyber disruption, our nation cannot wait until an incident occurs to start planning the response."
