Lawmakers Underscore the Importance of a Plan for Continuity of the Economy

In two separate letters last month, members of Congress urged President Joe Biden to develop a strategy for creating and implementing a Continuity of the Economy (COTE) plan, which would aim to ensure the renewal of the U.S. economy following a significant cyberattack. However, while Section 9603 of the National Defense Authorization Act for Fiscal Year 2021 gave the administration two years to devise a strategy for developing this plan, a year has already passed and the president has yet to act.

The letters — one from Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI), who serve as co-chairs of the Cyberspace Solarium Commission (CSC), and the other from Rep. Andrew Garbarino (R-NY), who serves as ranking member of the Cybersecurity Subcommittee of the House Homeland Security Committee — question the Biden administration on this lack of progress.

The Gallagher-King letter notes that “the key to resilience” is the ability “to restart [the U.S. economy] rapidly, and the only way to restart rapidly is to have a clear plan in place.” Garbarino expressed his frustration that “no visible action has been taken” in beginning the COTE planning process.

The Gallagher-King letter mirrors the recommendations of the CSC, which has long emphasized national resilience as a critical plank in the framework of layered cyber deterrence. The ability to quickly recover from cyberattacks against U.S. economic and military power will help deter U.S. adversaries from launching them. A COTE plan also tells “our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us,” the CSC wrote in its flagship March 2020 report.

Both letters stress the immediate need to assign a U.S. agency to lead this critical task. In particular, the lawmakers identify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency due to its connectivity to the private sector. Over 85 percent of U.S. critical infrastructure is privately owned, meaning that the cyber resilience at the heart of a COTE plan is dependent on public-private collaboration.

Much of the work to implement the details of a COTE plan will thus occur at the state and local level. The federal government should leverage systems and programs already in place instead of working toward developing a new plan on its own. The U.S. government has unique intelligence capabilities to understand current threats, but private companies and state and local governments better understand the specific needs of their regions. They are in the best position to prioritize resources that ensure the continuity of the economy after a large-scale, cross-sector cyberattack.

The federal government must identify ways in which it can support, not inhibit, these other stakeholders to prevent and respond to threats. The administration should focus on providing national-level perspective and, where needed, funding to enable effective joint action among private and public entities.

A cyberattack can occur at any time, making it imperative for the president to act without further delay. The clock is ticking.

Dr. Samantha F. Ravich serves as chair of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Cara Cancelmo is a program analyst. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.