Is U.S. Prepared for a Cyber Catastrophe? Businesses Say, ‘No’

Testifying before a Senate Homeland Security and Government Affairs Subcommittee, Karl Brondell of State Farm Insurance Companies warned that the U.S. is not adequately prepared for a cyber catastrophe.

The insurance executive outlined what a recent Business Roundtable report identified as gaps in current response plans for restoring the Internet following a catastrophic cyber disruption.

Brondell, a strategic consultant in State Farm’s Strategic Resources Department, also detailed a series of Roundtable recommendations for government and businesses to improve identification and assessment of cyber disruptions, to coordinate responsibilities for Internet reconstitution, and to make needed investments in institutions with critical roles in Internet recovery.

The Roundtable report, Essential Steps Toward Strengthening America’s Cyber Terrorism Preparedness, found the U.S. is ill-prepared for a cyber catastrophe due to a lack of coordination between the public and private sectors that would be critical to restoring the Internet following a disaster.

“Progress has been made over the past decade on technical issues, such as establishing computer security readiness teams in government and gaining a better understanding of cyber risks,” Brondell testified.

“However, other issues have not been addressed, such as strategic management and governance issues around reconstituting the economy and shoring up market confidence after a wide-scale Internet failure.”

Business Roundtable is an association of 160 chief executive officers of leading U.S. companies, and State Farm leads the Roundtable’s Cyber Security Working Group of its Security Task Force.

The Roundtable report identified major gaps in the U.S. response plans to restore the Internet:

Inadequate Early Warning System – The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.

Unclear and Overlapping Responsibilities – Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.

Insufficient Resources – Existing organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)’s funding is targeted for support of cyber recovery.

In its report, the Roundtable concluded that these gaps mean that the U.S. is not sufficiently prepared for a major incident that would lead to disruption of large parts of the Internet and the economy.

In addition, the Roundtable report made a series of recommendations for responding to the challenge, including a public-private partnership that identifies and acts on ways to improve collaboration. The recommendations include:

Coordination between government and business of initial efforts to identify when an Internet attack or disruption is occurring;

Creation of a federally-funded panel of experts – from business, government and academia – who would assist in developing plans for restoring Internet services in the event of a massive disruption; and

Implementation of large-scale cyber emergency exercises, with lessons learned integrated into programs and procedures. These exercises should include senior government and business executives who are fully authorized to act during a cyber emergency.

“Without these changes, our nation will continue to use ad hoc and incomplete tools for managing a critical risk to the Internet – and to our nation’s economy and its security,” he said.

In addition, Brondell told the Senate panel that the Roundtable plans to assess coordination of processes and protocols across the private sector before, during and after a major outage.

“We are confident that our member companies are able to manage through most disruptions that affect regional, national and global Internet operations,” Brondell said. “For this reason, the Roundtable will focus its efforts on those large-scale events that no single company is positioned to manage absent widespread cross-industry collaboration in areas such as information sharing and technical support from subject matter experts.

“We will also assess protocols on which institutions respond, but also will look at how early warnings are established as well as how companies access information and service critical disruptions in emergency situations.”

Source: Business Roundtable (www.businessroundtable.org)