Who Gets Their Lights Back First if a Cyberattack Brings Down the Grid?

It is perhaps fortunate that the recently disclosed SolarWinds hack was an espionage operation affecting only 18,000 customers, including Fortune 500 companies and U.S. government agencies. If the hackers, who are believed to be Russian, had focused on destruction instead of stealing secrets, the United States might be facing an economic and security crisis of unprecedented scale. If—or perhaps when—we witness a widespread cyberattack or a massive, cascading, economic collapse, U.S. leadership will have to prioritize which industries receive scarce government assistance to ensure that the U.S. economy continues to function. Industries must also have a plan ready to execute in the absence of timely government assistance.

The COVID-19 pandemic changed our understanding of lifeline critical infrastructure, placing grocery stores and logistics higher on the list. But in the days and weeks after a cyberattack, how will Americans buy food if they cannot access their banks accounts? How will banks operate if there is no electricity? How will power plants operate if trains can’t move coal? And what sectors—or even what regions of the country—should be the first to get their cell phone service back up and running? The questions only spiral from there, but the U.S. must be ready with answers before such a doomsday event occurs. The United States needs a Continuity of the Economy plan to ensure we can reconstitute the economy in the wake of a devastating cyberattack.

For decades the U.S. government has had Continuity of Operations and Continuity of Government plans to ensure our nation could function after a nuclear attack. But today’s risks are different. Our networked systems are vulnerable to catastrophic collapse and cyberspace presents an entirely new front, not simply for traditional warfare, but for economic warfare. It is a space where belligerent actors can degrade our military and strategic capabilities by attacking our economy. Private industry stands on the front lines of today’s cyber battlefield, facing down persistent attacks from hackers backed by America’s adversaries. Private companies control most  utilities, financial tools, supply chains, and other critical infrastructure that support national security and our way of life.

Highlighting these new risks, the 2021 National Defense Authorization Act contains nearly 70 provisions meant to increase resilience of U.S. cyberspace. This includes a novel requirement that the federal government plan for Continuity of the Economy. This provision stems from a recommendation of the congressionally mandated Cyberspace Solarium Commission, which noted in its March 2020 report that such a plan will contribute to cyber deterrence by “demonstrating that the United States has the wherewithal to respond and remain resilient to a significant cyberattack.”

In other words, adversaries must understand and believe the United States will not be hobbled because of a cyberattack. They must believe—because they know we have planned for such an occurrence—that we will quickly recover and will impose consequences. That is the hallmark of real deterrence.

The NDAA’s requirement is an important first step, but now the planning and exercising must begin. There are many miles between deciding to do it and actually implementing a robust recovery plan for a variety of contingencies.

While the goal of any such plan would certainly be a return to pre-attack economic activity, that will take time. The U.S. operates a $21 trillion economy with more than 31 million businesses. It relies on more than 4 million miles of road for distribution of essential food, medicine, and material. Following a large-scale cyberattack, the government will have limited recovery resources. How do we craft a resilient system able to empower 31 million independent agents to creatively work and recover together? What are the most critical companies and industries enabling a rapid recovery? Are we sure we know the most significant priorities in this complex networked system? Like Continuity of Operations/Continuity of Government, we must determine the critical economic functions on which the rest depend, and recover those first. To prioritize recovery order, Continuity of the Economy plans must identify the critical nodes and interdependencies within national infrastructure that guarantee U.S. economic resilience.

Decision makers today are grappling with strategies to prioritize distribution of COVID-19 vaccines—a single commodity. Imagine having to prioritize resources to restart the entire economy. The task is monumental, but the goal is straightforward: Decision makers need information now to give them insights to the vast complexity of the U.S. economy and an understanding of the forecasted outcomes of alternative scenarios before decisions are made.

Crafting a national strategy to limit consequences of failure or to prioritize recovery operations begins with good information. Fortunately, Congress showed great wisdom crafting the 2021 National Defense Authorization Act. They required an analysis of U.S. distribution and supply chains to identify the critical economic actors and functions that must be operational if the U.S. is to maintain its defense readiness, public health, and national security. The incoming Biden administration will be the first to face these new Continuity of the Economy planning requirements.

But data alone is insufficient. Our combined decades of experience in data science, military logistics, and policy making have taught us that decision makers will need a way to visualize the complex interconnectivity across economic sectors so that they can understand it. Only then will they be able to develop the plans to actively prevent cascading system collapse and prioritize recovery order following a significant event—defending U.S. interests on the cyber battlefield depends on it.

ASU’s Decision Theater and the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies are partnering on a data driven visualization of interconnectivity and dependencies across economic sectors to demonstrate how the U.S. government can begin to understand prioritization of recovery. ASU is a partner with Slate and New America in Future Tense. Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society. Samantha F. Ravich is a Commissioner on the Congressional Cyber Solarium Commission and the Chair of FDD’s Center for Cyber and Technology Innovation. Annie Fixler serves as CCTI’s deputy director. Follow Annie on Twitter @afixler. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.