November 14, 2022 | Policy Brief

Lawmakers Urge More Action to Ensure Resilience of the U.S. Economy

November 14, 2022 | Policy Brief

Lawmakers Urge More Action to Ensure Resilience of the U.S. Economy

Two Republican lawmakers sent a letter to President Joe Biden earlier this month expressing concern about the “limited action” the administration has taken to create plans to ensure the Continuity of the Economy (COTE) in the wake of significant, widespread cyberattacks or other natural or man-made events that severely degrade economic activity. As the two-year deadline approaches for the administration to provide its statutorily mandated initial plans to Congress, the letter signals congressional intent to continue prioritizing national cyber resilience.

The letter from Reps. Andrew Garbarino (R-NY) and Mike Gallagher (R-WI) expresses “immense concern” regarding an apparent lack of progress towards developing COTE plans since Congress first tasked the executive branch with doing so in the FY2021 National Defense Authorization Act. The letter follows previous missives from Garbarino and from Gallagher and Sen. Angus King (I-ME) at the end of last year. Garbarino noted last week that his prior letter has gone unanswered. The earlier letters apparently caused a reaction, however, as the White House did transfer its responsibility for developing the COTE plan to the Cybersecurity and Infrastructure Security Agency (CISA).

Calling COTE planning a “national security imperative,” the letter laments this nearly 15-month delay in tasking CISA. At the same time, the letter praises the choice of CISA, given its unique capabilities to analyze threats and to partner with the private sector — both of which are essential to develop and implement COTE plans.

Fortunately, despite the delay, CISA is not starting from scratch. The U.S. government has robust continuity of operations, continuity of government, national disaster response, and national infrastructure response plans. COTE planning can leverage existing infrastructure prioritization, emergency authorities, and response mechanisms to meet the statutory requirement to ensure the United States can withstand and quickly recover from a widespread cyberattack.

As the letter notes, what is different about COTE planning compared to other federal continuity and resiliency planning is the central role the private sector will need to play because the vast majority of critical infrastructure is owned and operated by the private sector. Much of the structure is already in place for the public-private coordination necessary for COTE planning. Each of the 16 critical infrastructure sectors enumerated by the federal government has a Government Coordinating Council and a Sector Coordinating Council. As the names denote, these councils serve as coordination bodies and facilitate cross-sector engagement, the latter of which is especially important because a widespread cyberattack might directly affect multiple sectors simultaneously. Alternately, because of the interdependencies among sectors, an attack affecting one sector might cause cascading degradation across others.

With much of the response planning and structure already in place, the critical, missing step will be centralizing the coordination necessary to develop, implement, and execute COTE plans. For this reason, Congress initially tasked the president and not a specific department with COTE planning. The national effort requires the ability to convene interagency partners, establish priorities, and hold federal agencies accountable so that the government can rapidly execute COTE if necessary. So, while CISA can write a COTE plan, only the president can lead its implementation.

CISA’s report to Congress in January is likely to be a plan for a plan rather than a fully developed COTE plan. However, if that report begins to identify the existing and missing structures and authorities, CISA will have made important progress towards ensuring the United States can quickly recover and respond to a significant cyberattack.

Annie Fixler is the deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. For more analysis from the Annie and CCTI, please subscribe HERE. Follow her on Twitter @afixler. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Cyber Cyber-Enabled Economic Warfare