Lawmaker slams White House refusal to create plan for economy after potential cyberattack
The chairman of the House Homeland Security Subcommittee on Cybersecurity criticized the Biden administration on Wednesday for refusing to create a specific Continuity of the Economy (COTE) for a major cyberattack.
Congress ordered the White House to create the plan in 2021 and finally got a response two weeks ago. First reported by The Messenger last week, the 29-page report argues that a new COTE plan would be unnecessary considering there are already several plans in place to help the country respond and recover from any cyberattack that caused significant disruption to the U.S. economy.
During an event on Wednesday, Rep. Andrew Garbarino (R-NY) called the Biden administration’s response to congressional demands for a COTE plan “scary” and explained that part of the problem is the lack of a clear cyber leader in the White House.
“I don't think there's a clear person running cyber out of the administration. I think there's competing competing individuals, which is causing things to be delayed. That's why we also had a COTE plan that just came out that wasn't a plan. It was a ‘By the way, we've got this thing, don’t worry about it,’” he said during the online event hosted by the Foundation for Defense of Democracies (FDD).
“Right now. I don't wanna say competing egos are the right word, but I think that's the issue. It's not bureaucracy as much as it is, ‘I'm in charge!’ ‘No, I'm in charge!’ ‘No, I'm in charge!’ And no one's making an actual determination of what to do and at the end of day, by doing that, they're not answering what Congress directed them to do and the private sector — who owns 80% of the critical infrastructure — they're out there waiting like, ‘All right, who are we working with? What are we doing?’ In case all this happens, there's no guidance there.”
Garbarino noted that the requirement of a COTE plan was written into the National Defense Authorization Act for fiscal 2021. He has repeatedly pressed the White House about the issue since taking over his role in January.
The White House response to the demand — which was written by the Cybersecurity and Infrastructure Security Agency (CISA) and came eight months late according to Garbarino — said the COTE plan requirements are “addressed through existing authorities, policies, plans, and frameworks.”
“Creation of a COTE plan with a singular economic focus, coupled with new response frameworks, has the potential to create confusion and duplicate existing response and recovery mechanisms,” CISA said.
The report goes on to lay out several different plans that are organized by Sector Risk Management Agencies (SRMAs).
‘Shared accountability’
Experts and cybersecurity leaders have questioned this response, noting that the lack of a centralized White House command and a pre-planned structure in advance of a wide-ranging cyberattack was dangerous.
Tom Fanning, executive chairman of Southern Company and chair of CISA’s Cybersecurity Advisory Committee, told the FDD audience that during an emergency was not the time to figure out how things should work.
“I have heard people say ‘Oh, well we have the power to convene.’ If you can imagine a disaster that's afflicting America — the lights are out, financial systems don't work, we can't talk or whatever the problem is — now is not the time for calling your buddies and trying to figure it out,” Fanning said.
“We have to create an architecture so that there is an expectation of a shared accountability between the government and the private sector and we have to drill that accountability so in the event of a disaster, we're not making it up as we go.”
Both Garbarino and Fanning defended CISA, arguing that the agency understands the need for coordination with the private sector in the event of an attack and was forced into responding this way by the White House.
Rear Adm. Mark Montgomery, the former executive director of the Cyberspace Solarium Commission, produced his own report with FDD that explained how the White House response does not determine how the existing continuity plans should be updated or improved nor does it “address recovery of the economy or the critical role of the private sector in that endeavor.”
“While it is true that the federal government has robust emergency planning and response frameworks, those plans are effectively silent on how to restore the economy. A dedicated COTE program would harmonize existing plans, determine how and when to invoke existing authorities, and ensure the public-private collaboration necessary to restore the economy,” Montgomery said.
“Furthermore, while this memo agrees with the administration that existing emergency response frameworks should include economic recovery, the administration’s report neither establishes a process nor assigns responsibility to a specific individual or agency to ensure this integration happens. In short, there is no one in charge of ensuring federal agencies update their plans to acknowledge this growing challenge, and many plans are a decade old.”
CISA and the White House did not respond to requests for comment. Garbarino said his subcommittee and others in the House and Senate plan to continue pressing the White House for a COTE plan that abides by what was required by Congress.
The concerns raised echoed several reports that have emerged in recent years about dissension and turf fights among cybersecurity leaders within the Biden administration.
Chris Inglis quit as national cyber director before the administration released the first-of-its-kind national cybersecurity strategy following alleged disputes with Anne Neuberger, the deputy national security adviser for cyber and emerging technology. Neuberger has also reportedly had issues with CISA director Jen Easterly and others at the Department of Homeland Security.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.