After the Attack

Note: Memo authors join chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Rep. Andrew Garbarino (R-NY), executive chairman of Southern Company Tom Fanning, and CCTI Chair Dr. Samantha Ravich at an FDD event on September 13, 2023. (Watch here.)

Executive Summary

The strength of a nation’s economy shapes its military power, national security, and international influence. In a conflict, an adversary is likely to attack the U.S. economy in an attempt to undermine America’s ability to mobilize military forces, generate economic power, and exercise other policy options. Recognizing the devastation that cyberattacks and other adversarial action, as well as natural disasters, could have on the U.S. economy and defense industrial base, the Fiscal Year 2021 National Defense Authorization Act (NDAA) required the president to develop a Continuity of the Economy (COTE) plan to “maintain and restore the economy” in the wake of just such an event.¹

Sen. Angus King (I-ME) and Rep. Mike Gallagher (R-WI), chairmen of the Cyberspace Solarium Commission, wrote in their letter accompanying the commission’s groundbreaking March 2020 report that the concept of COTE not only serves as a guide for restoring economic functions, but it is also “a fundamental pillar of deterrence—a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.”² Congress adopted the NDAA provision on COTE because of the commission’s clear-eyed warning.

In August 2023, the executive branch belatedly delivered its response to Congress — as a report and not as a plan or even a plan for a plan. The report is an exploration of existing policies and frameworks relevant to COTE, yet it does not determine how these should be updated or improved.³

Among the critical shortcomings of the administration’s report is the missed opportunity to engage the private sector more effectively in the COTE process. Sustaining vital economic functions during a crisis requires a collaborative effort with private sector partners who provide nearly all critical economic services. This collaboration is often secondary in other disaster recovery planning efforts but is essential for COTE. The administration’s report fails to acknowledge this, instead concluding that COTE requirements are already addressed in existing plans. Yet elsewhere, the administration’s report notes that these existing plans do not specifically address recovery of the economy or the critical role of the private sector in that endeavor.

The report’s executive summary is even dismissive of Congress’ intent, determining that a COTE plan may be duplicative and could create confusion. While it is true that the federal government has robust emergency planning and response frameworks, those plans are effectively silent on how to restore the economy. A dedicated COTE program would harmonize existing plans, determine how and when to invoke existing authorities, and ensure the public-private collaboration necessary to restore the economy. Just as the nation spends enormous amounts of time and money every year ensuring that the U.S. armed forces can be called upon at any time, the federal government also needs to ensure that it can act swiftly — in partnership with the private sector — in the event of a major economic disruption. Planning for this “on the fly” invites failure.

Furthermore, while this memo agrees with the administration that existing emergency response frameworks should include economic recovery, the administration’s report neither establishes a process nor assigns responsibility to a specific individual or agency to ensure this integration happens. In short, there is no one in charge of ensuring federal agencies update their plans to acknowledge this growing challenge, and many plans are a decade old.

This memo is more forward leaning and presents a playbook to address these gaps, offering recommendations for a robust COTE governance structure. In a crisis, the White House (through the National Security Council) will oversee response and recovery efforts and leverage unique presidential authorities to mobilize the public and private sector resources necessary to enable economic continuity. This memo recommends that the White House homeland security advisor should lead these efforts, serving as national COTE coordinator. The national COTE coordinator will need an industry counterpart — a senior executive from a key critical infrastructure sector able to foster the necessary cross-sector coordination. With private industry holding many of the levers needed to restart the economy, this industry COTE liaison must be seamlessly integrated into decision making.

The national COTE coordinator and industry COTE liaison will need to draw on federal government and private sector actors to perform the day-to-day planning and operational support work. Specifically, this requires a national COTE manager to lead the planning, conduct the exercises, maintain situational awareness, and sustain the necessary relationships between federal agencies and critical infrastructure owners and operators on a routine basis. This person can also hold federal agencies accountable for adding COTE requirements into existing plans and reviewing and updating plans on a regular cycle. The COTE effort will need to leverage the resources and expertise of the Department of Homeland Security’s (DHS’s) National Risk Management Center as well as the industry-specific expertise of the federal agencies that serve as sector risk management agencies. It will also need to leverage existing, well-functioning mechanisms for public-private collaboration like the industry-led sector coordinating councils and their federal counterparts, the government coordinating councils.

In addition to outlining these roles, this memo’s playbook explains how to set up a COTE program, engage stakeholders, identify critical functions, and conduct exercises to develop and test iterative COTE plans.

Attempted cyberattacks against key pillars of the U.S. economy are already a daily occurrence, and China and Russia are reportedly currently installing malware intended to put critical infrastructures at risk in a contingency. The federal government therefore must plan for the eventuality of a successful, widespread cyber or physical attack on lifeline sectors of the American economy. Improving U.S. national resilience, to include effective COTE preparations and planning, will help ensure the nation can quickly recover and respond to any attack.

The Need for a COTE Program

When Hurricane Maria struck Puerto Rico in 2017, it disrupted all modern infrastructure on the island. Overnight, residents went from living with 21st century services back to the 18th century. Power was out island-wide, water services were down, communications networks were offline, ports were closed, and transportation networks were inoperable. People were displaced and unable to tend to their basic needs. The island’s economy came to a halt.

At the time, approximately 30 percent of Puerto Rico’s GDP came from pharmaceutical manufacturing. With more than 50 pharmaceutical manufacturing sites, Puerto Rico was key to the global supply chain, and outages at plants across the island prompted concerns about global shortages. In fact, disruption to IV bag production required healthcare facilities around the world to develop workarounds to continue patient care.

Cyberattacks can also have a downstream effect on supply chains across a wide geographic area. News of the May 2021 ransomware attack on Colonial Pipeline, for example, prompted panic buying at gas stations across the country. Fuel shortages at some airports on the East Coast required changes to flight schedules for some airlines. The Federal Motor Carrier Safety Administration declared a state of emergency.⁴

In that case, the federal government had mechanisms for mitigating the impact, but during Maria, Puerto Rico faced crises not experienced before. The lack of telecommunications, for example, meant that individuals and businesses could not use electronic transactions to pay for goods and services. Without the ability to use credit cards, demand for cash surged, but ATMs were also offline. In the weeks following the hurricane’s landfall, cash orders from local banks soared 700 percent, requiring the Federal Reserve to fly shipments of cash to the island on a regular basis to ensure continued economic functioning and viability. Once these flights landed, however, moving the cash to areas in need proved difficult due to washed out roads and bridges, leaving some areas particularly isolated.

A COTE program might not have anticipated the precise circumstances of Hurricane Maria, but exercising the related response and recovery efforts likely would have enabled the federal government to anticipate and mitigate some of the challenges it encountered and to respond in a more agile manner. White House-led interagency exercises conducted in the late 1990s, for example, were essential to understanding how to rapidly shut down U.S. airspace in response to the September 11 attacks.

Without plans that have been tested and procedures that have been practiced, decision makers are left with poor options, even in circumstances far less devastating than Hurricane Maria. When Superstorm Sandy struck the northeast in October 2012, the New York Stock Exchange faced a choice: close down or rely on an untested system for electronic-only trading. Concerns about the unproven system and the safety of employees at trading firms resulted in a historic two-day closure. According to a Reuters article at the time, exchanges and banks rapidly lost tens of millions of dollars in revenue.⁵

Emergency response decision making generally focuses on life safety and restoring lifeline infrastructure functionality.⁶ Until now, economic productivity considerations have normally taken a backseat. Existing social service systems that might address some of the economic considerations have been designed for geographically localized or industry specific impacts. The COVID-19 pandemic revealed that these systems cannot simultaneously handle a surge in demand across multiple sectors nationwide. The Federal Reserve had to develop special facilities quickly under its emergency provisions to sustain market functioning and provide necessary liquidity. The federal government hastily established programs with limited oversight and vast uncertainty about whether or how they would function. The result? Pervasive fraud.⁷ A well-coordinated COTE program, in contrast, could have offered decision makers ideas for macroeconomic policies that had been tested in national level exercises.

Assessing the Federal Government’s COTE-relevant Capabilities

Against the backdrop of the COVID-19 pandemic and escalating cyberattacks against American companies, Congress recognized the need for more robust planning to withstand and quickly recover from economic shocks. The FY2021 NDAA — signed into law on January 1, 2021 — required the president to submit an initial plan to Congress by January 3, 2023. Congress also required updates to the plan at least every three years to ensure that the executive branch will not simply collect the data outlined in the statute but will also develop, exercise, and adjust its plans on an ongoing basis.

After a year of delay, the White House belatedly delegated responsibility for responding to the congressional directive to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), specifically to its National Risk Management Center (NRMC). With very limited funding and resources for the effort, the NRMC delivered its report to the White House in January 2023. Seven months later, after a lengthy interagency review process, the president delivered the report to Congress.⁸

The report contains significant contradictions, likely the result of this interagency process. Its executive summary concludes that creating a COTE plan could create confusion and that existing authorities, policies, and plans already address COTE requirements. And yet, the report itself later recommends additional analysis to determine if existing plans actually tackle the variety of cascading impacts that attacks on critical infrastructure might entail. It acknowledges that existing authorities and policies may have gaps and that few comprehensive resilience plans exist.

Most troubling is that, in concluding that the U.S. government already has the COTE issue covered, the report risks continuing the bad practice of marginalizing the private sector’s role in addressing a COTE contingency. The current level of private sector involvement in government preparedness efforts is limited, and in actual decision making it is nearly non-existent. The report could have emphasized and enshrined in policy the role of the private sector in developing solutions and making decisions, but the report fails to do so.

Leveraging and Updating Existing Planning

Despite the problems with other sections of the report, the administration’s detailed analysis of COTE’s relationship to existing policies, processes, and frameworks is thoughtful and measured. Economic recovery is intertwined with emergency response, and thus numerous existing frameworks are relevant to COTE. But these existing policies focus primarily on emergency life-safety response and recovery, while Congress intended COTE to supplement existing work by ensuring recovery efforts anticipated the steps to ensure national-level economic recovery. Table 1 lists the gaps existing documents.⁹

Table 1: Gaps in Existing Emergency Preparedness and Response Documents

Presidential Policy Directive (PPD)-21	PPD-21 requires the secretary of homeland security to coordinate federal government response to significant cyber or physical incidents affecting critical infrastructure but provides limited details and does not focus exclusively on COTE-level events.
National Critical Functions	NCFs are often applied to a broad range of events, not necessarily COTE-level events.
National Critical Infrastructure Prioritization Program (NCIPP)	State, local, tribal, and territorial participation is voluntary and inconsistent. The full NCIPP list is also classified, restricting its utility in COTE scenarios.
PPD-8	PPD-8 does not specifically address recovery of the economy.
National Response Framework	The Nation Response Framework does not focus on economic recovery and is traditionally used for regional or smaller events that do not require significant economic restoration.
FEMA’s Community Lifelines	FEMA’s Community Lifelines are limited to incidents with significant life and safety impacts, whereas a COTE response could be triggered by other factors.
Emergency Support Function-14 – Cross Sector Business and Infrastructure	Emergency Support Function 14 does not include economic policymaking.
National Essential Functions	National Essential Functions focus on ensuring only that the federal executive branch is performing its functions.
Homeland Security Presidential Directive-5	The directive does not clarify how the National Incident Management System and/or a principal federal official could be used to coordinate the economic consequences of a COTE-level event.
PPD-41	PPD-41’s response approach has not been tested sufficiently to determine its efficacy in COTE scenarios.
PPD-44	PPD-44 may not provide clarity needed, particularly around designating a lead federal agency, for departments and agencies to use it to manage a significant event with widespread impacts.

One omission from this list is the National Infrastructure Protection Plan (NIPP) and the corresponding sector specific plans, perhaps because those plans are nearly a decade old. Successive administrations have failed to update the NIPP and sector-specific plans in a routine manner. In fact, the 2015 NIPP was supposed to be reviewed and reissued no later than 2018, but it has not been updated yet. Some press reports say the Biden administration is withholding the release of an updated NIPP until after it rewrites Presential Policy Directive 21 (PPD-21), which establishes governance for critical infrastructure security and cooperation with the private sector.¹⁰ The Obama administration issued PPD-21 in February 2013, so it is egregiously out of date as well. The sector specific plans that enable the NIPP are also at least eight years old, and many are cookie-cutter copies of each other rather than a thoughtful exploration of sector-specific risks and remediations. After more than 30 months in office, the Biden administration joins the Trump administration in owning these failures to take action.

Elsewhere in the report, the administration does recommend that critical infrastructure sectors and their federal partners (known as sector risk management agencies) review existing frameworks and update sector-specific plans. The failure of successive administration to update the NIPP and sector-specific plans, however, indicates that mere recommendations to update planning documents are not sufficient. The report, however, provides no mechanism to hold federal agencies accountable for implementing its recommendations.

One positive area highlighted by the administration’s report is that the federal government does retain a great deal of emergency response planning and coordination capabilities for national security crises and natural disaster emergencies. A COTE program could leverage these capabilities to ensure the federal government works with priority critical infrastructure operators and local authorities to promote full economic recovery, alongside national security and disaster response actions, in an orderly manner. The National Response Framework is built to be flexible and scalable. FEMA’s National Response Coordination Center¹¹ can provide a valuable coordination mechanism so that entities implementing COTE plans are cognizant of the actions being taken by federal and local partners to restore community lifelines.

While the existing frameworks are not yet fully interoperable, COTE planning can leverage recent strides to improve interoperability. In turn, the COTE program can also provide an opportunity to better connect these communities of practice. In doing all of this, the federal government can expedite COTE’s development and ground it in practical considerations so it can be implemented in catastrophic emergencies.

In addition to these programs, the federal government has a National Exercise Program that carries out a two-year cycle of exercises at various levels with a range of public and private sector partners to evaluate national preparedness and response capabilities. The program leverages a common exercise planning methodology to effectively integrate exercises planned by federal, state, local, tribal, territorial, and private sector participants. Integration of COTE elements into this process would be equally beneficial.

Authorities and Coordination Mechanisms

The administration’s report concludes that the federal government appears to have many of the emergency authorities it might need during a COTE-level incident. This memo concurs with that assessment. Without needing drastic revisions to government authorities, the federal government and its private sector and state and local partners can leverage existing planning and coordination capabilities to protect economic security. The report does caution, however, that federal agencies should regularly assess whether there are gaps in policies and authorities. This is a sound recommendation.

The bigger challenge, however, will be bringing together the plans, authorities, and coordination mechanisms rapidly and in the middle of a crisis. Today, a series of Presidential Emergency Action Documents (PEADs) supports readiness for implementing emergency measures. PEADs are pre-vetted documents for the president to use to invoke a range of emergency authorities quickly in a major disaster. These could readily lie at the heart of how the federal government would execute a COTE plan. To ensure readiness at all times, the federal government should develop a playbook of which authorities to invoke and when. It should maintain this playbook and the appropriate PEADs with the president at all times, even on travel, much like the “nuclear football.” Activating PEADs requires the president’s physical signature, and in the immediate aftermath of a major incident, the economic recovery of the nation cannot afford to wait while White House staffers track down documents and fly them to the president.

A president rarely activates just a single emergency response program. The complex dependencies and overlaps between these programs require coordination mechanisms to ensure that priorities and actions are synchronized throughout a response effort. COTE would rely on the National Security Memorandum 2 process for facilitating interagency coordination and presidential decision making. This mechanism convenes interagency policy committees to ensure that federal resources and authorities are being used appropriately to address the crisis. This largely makes sense for COTE, with one exception: interagency policy committees do not include private sector leaders. The president, however, can designate industry executives as members of the National Defense Executive Reserve program, making them federal employees in an emergency. These leaders can then participate in the deliberative process for presidential decision making.

The Stafford Act grants the president the authority to respond to disasters and establishes processes for providing federal recovery assistance but does not cover cyber incidents. If the federal government needs to activate COTE in response to a cyber incident, it will likely need to rely on coordination mechanisms under PPD-44 instead.¹² The administration’s report, however, warns that PPD-44’s mechanisms for designating a lead federal agency for response coordination may lack the clarity necessary for managing a significant incident with widespread impacts. That evaluation is accurate, and the issue must be addressed.

Finally, for coordination, the COTE program can leverage industry-led and -organized sector coordinating councils and their corresponding government coordinating councils, which draw from federal, state, and local governments and facilitate interagency coordination with the private sector. A COTE Management Committee, as discussed below, should be responsible for working with these councils to ensure that all critical infrastructure sectors have a shared understanding of COTE priorities and the ability to work together to sustain critical functions.

Mechanisms to Identify Priority Assets

A COTE program will need to determine what functions and services are necessary for minimal economic activity to ensure national and homeland security functions during a nation-wide crisis. With limited resources available, not every company or municipality will be first in line for recovery assistance. Competition between states and localities for resources is detrimental to recovery, but choices will have to be made about who gets what resources and, ultimately, who does not. The guidance, rule-making, and legal reviews required for making these decisions, made in advance of a crisis and not in its midst, will then inform the development of national, regional, and local policies and procedures and relevant public-private partnerships.

In particular, a COTE program can use its analysis around minimum economic functions to coordinate with the owners and operators of the relevant infrastructure — along with governments at all levels — to assess damage, prioritize restoration efforts, rally necessary resources, and ensure that national needs are met. The program can leverage and improve existing mechanisms for identifying priority assets and infrastructure.

Even as the federal government has improved its ability to identify and prioritize infrastructure that is important for economic functioning, gaps remain. For instance, technological changes in the telecommunications industry have altered the balance of wireline versus wireless communications infrastructure. But some mechanisms for identifying priority assets still rely on the Communications Act of 1934, which does not account for elements of communications infrastructure such as Internet Service Providers and their requisite data centers or terrestrial fiber communications.

Multiple other frameworks exist for identifying important systems and assets on a sector-by-sector basis. These include designations such as: Global Systemically Important Banks, Defense Critical Infrastructure, and Defense Critical Electric Infrastructure. These frameworks, however, do not look across sectors or at interdependencies between sectors, even as wide-scale automation of industrial equipment has created significant cross-sector vulnerabilities. For example, the functioning of water treatment facilities and natural gas pipelines depends on functional electric power infrastructure, which itself depends on water for cooling and natural gas for fuel.

Shortcomings in how assets are prioritized only widen as technology changes. Even Section 9 of Executive Order 13636, Improving Critical Infrastructure Cybersecurity¹³ — which requires the government, on an iterative basis, to identify and work with the most critical of critical infrastructure — fails to account for vital industries that are associated with newer technologies, like cloud service providers. And like so many other critical infrastructure policy documents, it is 10 years old and dated.

Effective prioritization in the complex overlaps between sectors will be essential to a robust COTE planning program. Recommendations from the Cyberspace Solarium Commission and more recently from CISA to establish new “systemically important critical infrastructure” or “systemically important entity” listings to update Section 9 of EO 13636 would likely be an essential input into COTE planning. A COTE governance structure (as outlined below) can provide needed guidance to all levels of the government and private sector to develop sector-specific and cross-sector prioritization efforts.

Scoping the COTE Program

With the private sector on the frontlines of this new battlespace, the federal government will need to incorporate non-traditional stakeholders into planning and execution so that recovery efforts address the full scope of impacts. Properly framing COTE programs will help ensure the right players are at the table.

In the FY21 NDAA, Congress scoped Continuity of the Economy planning to focus on economic functions essential to the “security; economic security; defense readiness, or public health or safety.”¹⁴ This memo posits five pillars as the minimum functions of an economy necessary to support congressionally specified priorities:

1. The ability of individuals to meet their basic needs (beyond emergency food, water, and shelter);
2. The ability of geographic communities to provide essential services to their populations;
3. The ability of institutions and organizations to engage in commerce;
4. The ability of the government to support U.S. military forces as part of force generation and sustainment efforts; and
5. The ability of the nation to maintain economic relationships abroad that sustain national security and advance national interest.

None of these can be sustained on their own for more than a brief interval. People require steady income to address their individual needs. Organizations provide that income by engaging in commerce. This, in turn, provides a tax base necessary for communities to deliver essential services. In combination, all of this provides the nation with the economic strength necessary to engage with international partners. A significant degradation in one or more of these pillars can quickly cascade across multiple economic sectors, causing catastrophic harm.

A first step in COTE planning, however, is the recognition that continuity of the economy will not entail full operation of the economy at pre-incident levels. Rather, it emphasizes core functions that ensure the flow of money, goods, and services remains viable. The five pillars above serve as a guide for establishing the specific thresholds that would require COTE to be activated. While existing emergency plans can provide for these needs at limited geographic levels, COTE provides a way to address national-level or systemic impacts to the flow of commerce.

Activation Triggers

The administration’s COTE report recommends creating planning scenarios to identify disruptions whose magnitude would trigger the need to activate COTE plans. Once again, however, the report simply indicates that the federal government should do this as part of existing mechanisms, without designating a responsible party that could be held accountable for its completion.

Instead, this memo posits that a designated COTE program should exist to identify how and when to make the determination to activate the capabilities that make up the COTE effort. Leaders in the public and private sector must understand what conditions will require activating COTE. They will need viable and well-understood mechanisms to collect and assess the information and to make and communicate decisions. Personnel involved should, for example, continually emphasize that COTE is meant as a temporary measure to bridge between initial response, crisis management, and long-term recovery efforts. The president’s homeland security advisor, acting as national COTE coordinator (whose full responsibilities are explained below), will need a regular flow of information and intelligence to monitor potential threats and hazards to critical infrastructure and determine when an incident or crisis has risen to the level that requires activating COTE plans.

Similar to Continuity of Government (COG) plans, a national-level COTE activation should only happen at the direction of the president, although subordinate officials (whose roles the memo prescribes below) could initiate individual sector components of COTE plans. Based on the overall goal to sustain the five pillars enumerated above, the COTE program could have triggers to guide the decisions necessary to put plans into action. These triggers can include measures that indicate whether:

• Institutions sustain the liquidity necessary for economic transactions;
• Infrastructure necessary for economic functioning at regional or national levels is degraded or non-functional;
• The population in an impacted area can access funds necessary to exchange money for goods and services;
• Military forces have the necessary civilian infrastructure to fulfill their mobilization plans;
• International economic exchanges and infrastructure for significant imports and exports are degraded or non-functional; or
• Governmental entities at the federal, state, and local levels are limited in their ability to provide benefits or services at the necessary scale.

Recommendations for Structuring the COTE Program

The administration’s report failed to provide the recommendations necessary to structure a COTE program. This memo will endeavor to fill that gap.

1. Develop and Improve the COTE Governance Structure

A successful COTE effort requires clear authorities, responsibilities, and integrating mechanisms that enable effective planning and well-coordinated execution. It needs senior-level sponsorship and oversight as well as operators who do the day-to-day planning, exercising, and interagency and private sector relationship management.

National COTE Coordinator

As envisioned by the legislation requiring COTE planning, COTE necessitates a national effort with centralized coordination. This can best be accomplished by a national COTE coordinator who serves in the Executive Office of the President with the power to convene federal partners. This person will also serve as a key point of contact for senior private sector COTE participants.

The national COTE coordinator can establish priorities and direction for the program, promulgate training and exercise objectives, and establish the accountability necessary to ensure that federal entities are implementing and maintaining the COTE program to allow for rapid execution when necessary. The national COTE coordinator should be the homeland security advisor or at least be an official at the level of an “assistant to the president” and capable of convening the National Security Council Principals’ Committee to address COTE planning, testing, and execution so that COTE direction and actions can be coordinated by the national security decision-making process.¹⁵

The homeland security advisor is a natural fit to serve as the national COTE coordinator, as the position has the requisite scope, access, and authority to leverage the NSM-2 process to integrate a whole-of-government effort to engage the whole-of-society cooperation necessary to initiate the COTE program.

Industry COTE Liaison

Because most COTE actions will take place in the private sector, leadership of the program must be equally shared by a private sector senior executive capable of fostering cross-sector coordination before, during, and after crises. Accordingly, the president should identify an industry COTE liaison to partner with the national COTE coordinator in establishing and overseeing the program. The industry COTE liaison needs to be well versed in existing cross-sector collaboration, especially for sectors that have been repeatedly identified as uniquely critical, such as energy and communications.

The industry COTE liaison should be designated as a member of the National Defense Executive Reserve corps to ensure that the federal government can quickly leverage unique private sector expertise in a catastrophic emergency. Being a member of the National Defense Executive Reserve corps means that this person could be “activated” as a federal employee so that they can be part of deliberative processes to support presidential decision making.

National COTE Manager

While overall COTE authority can rest with the national COTE coordinator, the Executive Office of the President is not equipped to provide the planning and operational support necessary to establish, implement, and execute the COTE program. Accordingly, a national COTE manager will be necessary to provide day-to-day leadership and integrate the efforts of COTE stakeholders into a cohesive program.

The national COTE manager should be a senior appointed official in DHS engaged with the critical infrastructure preparedness and resilience efforts across the interagency and knowledgeable of the authorities and existing mechanisms to collaborate with the private sector. This person could be the CISA director or a senior official located within DHS’s Office of Strategy, Policy, and Plans.

The national COTE manager should be responsible for establishing and running the COTE governance structure, promulgating requirements for COTE plans, submitting COTE efforts to congressional oversight, aggregating identified resource needs and priorities, collecting and communicating identified strategic reserve needs, and providing training and exercise services to the COTE community of effort. This will require dedicated resources that remain stable over a sustained period, similar to the way FEMA’s National Continuity Programs office supports the ongoing maintenance and continuous improvement of Continuity of Operations and Continuity of Government capabilities.

Sector COTE Liaisons

As noted above, the private sector will carry out many COTE efforts. This means that expertise from multiple industries must drive development and implementation of the COTE program. To accomplish this, multiple sector COTE coordinators from private industry can be designated to work with the industry COTE liaison. Sectors identified as essential to the COTE effort, such as energy, communications, financial services, critical manufacturing, and information technology, among others, would each have designated leaders to help guide and coordinate the private sector actions necessary to carry out COTE preparedness and activation. It would be logical for these liaisons to come from the private sector leaders of the existing industry-led and -organized sector coordinating councils.

These individuals could also be designated as members of the National Defense Executive Reserve to be activated to federal service when COTE plans are implemented to ensure that effective sector-based expertise is leveraged in national-level decision making. Their expertise will facilitate planning efforts and information sharing. It will also ensure that crisis management efforts incorporate COTE requirements and priorities to assign resources as necessary to execute provisions of a COTE plan.

Sector COTE Managers

The national COTE manager will require sector-specific expertise and support to develop and implement the COTE program. Leveraging the expertise of the sector risk management agencies that lead sector-based efforts for infrastructure security and resilience efforts will be necessary. Accordingly, officials in an appropriate subset of sector risk management agencies can be designated as sector COTE managers to ensure that ongoing public-private collaborative efforts support COTE planning, resourcing, and implementation. It would be logical for these government officials to come from the existing government coordinating councils.

COTE Management Committee

A COTE Management Committee of public and private sector partners should engage the public and private sector coordinators and managers and facilitate joint planning. This committee should use existing collaboration mechanisms to assess and analyze existing data to produce the deliverables required of the COTE effort.

The COTE Management Committee should also review prioritized infrastructure lists, such as CISA’s Systemically Important Entities lists, to identify the specific assets, systems, and networks that should be part of COTE plans. These should be drawn from Tier 1 assets, Section 9 entities, Systemically Important Financial Market Utilities, Global Systemically Important Banks, Defense Critical Infrastructure, and Defense Electric Critical Infrastructure.

2. Issue a COTE-specific National Security Memorandum

The executive branch should anchor this COTE framework in a new National Security Memorandum (NSM) to coordinate public and private sector efforts to sustain the functioning of critical infrastructure and other economic functions vital to the stability and security of the nation. (See Appendix 1 for a set of priorities and actions that should be included in the NSM.)

The governing document should assign responsibilities for governance, with clear roles and responsibilities for continuity programs established across the federal executive branch to include establishing a designated national COTE coordinator and manager. Both DHS and other designated departments and agencies should be required to support planning and implementation of continuity programs through intelligence support, contingency communications, budget, human capital, and facilities, to include efforts with state, local, tribal, and territorial authorities and private sector entities. Through a series of activation levels, government continuity programs can act on alerts and warnings to effectively engage the private sector and proactively change infrastructure posture in a coordinated and standard manner to minimize disruption from imminent threats and hazards. DHS and the White House should then be required to work together with private sector owners and operators to test and exercise the continuity program to ensure that the departments and agencies can meet specified objectives.

3. Enhance COTE Stakeholder Engagement

Establishing the governance structure and engaging the necessary expertise across the public and private sectors requires a robust stakeholder engagement effort. Based on existing coordination mechanisms, this can begin with engaging the relevant government coordinating councils and sector coordinating councils. Leveraging the existing structure allows for sensitive discussions to be held while providing information security protections for those involved.

Because the COTE plan will need to work seamlessly with the National Response Framework and the National Continuity Program, COTE leads should engage FEMA leadership early on. This engagement should address interoperability with existing plans and capabilities, ensuring that COTE information is incorporated into existing reporting channels, such as the FEMA Senior Leader Brief, to avoid duplication and confusion.

4. Establish a Common Planning Framework and Develop a COTE Plan

To meet the congressional mandates to establish a COTE plan and identify strategic resourcing needs, a common planning approach across all COTE stakeholders is necessary. The national COTE manager should establish a planning team, inclusive of public and private sector expertise, to develop and promulgate consistent guidance for COTE stakeholders along with a prescribed timeframe for completing key steps of the planning process.

This guidance should foster an understanding of COTE among stakeholders, establish national COTE priorities, develop readiness procedures and metrics, and promote interoperability with existing preparedness and response activities. It should lead to a COTE plan that includes specific direction, deliverables, and timeframes for the following:

1. Determining, socializing, and communicating sector-level functions critical for COTE;
2. Identifying a mechanism to maintain situational awareness and incident reporting for critical sector-level functions;
3. Designating an entity to serve as a coordination and communication center for sector-level functions;
4. Identifying primary, alternate, and contingency means of communication to coordinate sector-level COTE actions;
5. Defining specific actions to implement at all COTE warning and activation levels;
6. Assembling an inventory of emergency authorities that support sector-level functions in emergency situations;
7. Establishing a test, training, and exercise program for sector-level COTE capabilities that includes a corrective action process to identify, track, and act on opportunities for improvement;
8. Implementing a process to identify strategic reserve requirements, develop resource requirements to support them, and program them into relevant public and private sector budgets; and
9. Developing a process to provide sector-level information to the national COTE manager for an annual report to the national COTE coordinator.

5. Determine COTE Critical Functions

Sector COTE Managers and their industry liaisons will need to determine the specific functions necessary to document in the COTE plan.¹⁶ Working with FEMA, the managers can use this as a starting point for federal-level interoperability with COTE critical functions. Leveraging national critical functions will also help determine criticality criteria and ensure interoperability of COTE critical functions with existing frameworks.

As part of this effort, the COTE program will need to identify minimum viable capabilities of assets, systems, and networks necessary to sustain economic functioning in a degraded but acceptable state. These minimum viable capabilities should then establish maximum tolerable disruptions sufficient to trigger COTE activation. The program will also need to determine the minimal resources necessary to continually operate or transition operation of these assets, systems, and networks. These resources should include personnel, facilities, equipment, materials, finances, data, information technology, and communications.

6. Continually Assess Emergency Authorities

While it is the administration’s assessment (and the assessment of this memo) that the federal government has the necessary emergency authorities to undertake COTE efforts, a robust COTE program should persistently review and assess these authorities. It should identify existing emergency authorities that assets, systems, and networks will need to leverage to assure continued viability or rapid transition to alternate operating means.

This is especially important because these authorities are complex, rarely utilized, and require specialized expertise and analyses. To ensure that they can be quickly leveraged in a COTE-level incident, the federal government should collaborate with the private sector and academia to evaluate relevant authorities, provide legal analyses that will enable rapid utilization, and identify gaps in authorities that could hinder effective COTE activation. The executive branch — in concert with Congress — will then need to close the gaps.

7. Exercise the COTE Framework

As with other emergency response and recovery efforts, regular and robust exercises are necessary to validate assumptions, ensure capabilities can meet established objectives, and identify opportunities for improvement. Exercises test the ability to coordinate between and among engaged COTE entities in a catastrophic emergency.

Accordingly, COTE efforts should be incorporated into the National Exercise Program. Leveraging this existing network of practitioners also allows COTE efforts to capitalize on established planning and evaluation expertise and to work collaboratively with other key parts of the nation’s response and recovery system.

At the outset, COTE will require tailored and specific exercises that test the ability to identify incidents of concern to COTE objectives and provide for situational awareness. Tailored exercises should also foster implementation and coordination to invoke appropriate authorities, coordinate implementation efforts, and demonstrate performance in sustaining functions essential to COTE. This will also help to meet ongoing training requirements for members of the National Defense Executive Reserve program who are designated as part of the COTE program.

Moving forward, a regular, national COTE exercise will be necessary to ensure that all involved entities are engaged in continuously improving public-private coordination to implement the measures necessary to sustain infrastructure functions in a disruption. This regular COTE exercise can be incorporated into the existing, recurring exercises for Continuity of Government. This would provide an opportunity to align COTE efforts with COG plans to ensure interoperability.

Finally, the COTE program will need to leverage assessments and after-action reports of exercises to determine whether the county has the necessary strategic reserve and whether COTE requires domestic production of certain goods to harden critical supply chains.

Conclusion

While this paper outlines how the government should organize itself and work with the private sector, it cannot make the tough choices that will need to be made during an actual crisis. Recovery efforts will involve prioritization of limited resources. Not everything, not everywhere, not everyone can be a priority. The citizenry needs to understand this so that, in parallel with federal efforts, the nation can build resiliency at a local level with the sober understanding of when the federal cavalry will and will not be coming.

A COTE plan developed in the executive branch, in partnership with the private sector and anchored in presidential guidance through a COTE-specific National Security Memorandum, will provide the necessary framework to respond to cyberattacks and other events that may have devastating regional or national economic impact. Congress will need to review and conduct oversight of executive branch efforts and ensure DHS and relevant departments and agencies have proper resources and authorities.

The recommendations included in this paper provide both long-term solutions for governance, stakeholder engagement, planning, exercising, and activation triggers as well as a short-term plan to jumpstart COTE efforts using existing programs. Appendix 1 also includes key points a draft National Security Memorandum should include to guide COTE-specific efforts.

Appendix 1: Guidelines for a Continuity of the Economy National Security Memorandum

If the Biden administration intends to initiate a Continuity of the Economy program, it will need to articulate administration policy clearly, provide specific roles and responsibilities, and set forth clear deliverables that will meet congressional directives. The following are key principles that should be included in a policy document (National Security Memorandum) addressing COTE requirements:

1. Establish clear public and private sector executive leadership. Continuity programs are only successful with strong leadership support. Establishing a national COTE coordinator and industry COTE liaison is necessary to ensure that senior-level priorities drive COTE development and implementation and that COTE plans meet national-level strategic objectives.
2. Prioritize planning with the “critical of the critical.” Continued functioning of the economy depends on a specific subset of critical infrastructure. Accordingly, COTE planning and coordination should focus on planning, resourcing, training, and testing the ability of vital economic infrastructure to provide essential functions in crises. This requires specific actions by a limited number of private sector partners. These partners in turn require more active collaboration and coordination with the federal government to ensure they can meet objectives for economic functioning.
3. Emphasize the importance of private sector expertise. The private sector owns and operates the infrastructure that is the backbone of the economy. Activating COTE plans will require infrastructure to adjust operations in ways that require industry-specific expertise. This means that government and industry will need to implement emergency authorities, adjust infrastructure operations, and monitor real-time implications for economic functioning simultaneously. This can only be done when the private sector is actively engaged in sharing information and coordinating operations.
4. Capitalize on existing programs but focus on action and operations. Continuity and infrastructure resilience programs provide a robust foundation for COTE planning. The actions necessary to rapidly prioritize infrastructure services, implement emergency authorities, identify and rally resources to degraded capabilities, and make essential trade-offs, however, require a plan that can be implemented at a moment’s notice. COTE policy deliverables should make operational utility a key foundation. The resources to synchronize, operationalize, and monitor adjusted operations are central to a successful COTE program.
5. Ensure robust testing, training, and exercises. COTE actions will need to be implemented on short notice, with a high degree of reliability, in challenging environments. To validate that plans can meet established requirements, COTE efforts must include a robust testing, training, and exercising component to ensure that they are functional and interoperable with the range of unique and complex federal response plans and capabilities.
6. Establish a legal center of expertise to support COTE. The authorities necessary for an effective COTE program are complex, rarely utilized, and require specialized expertise and analyses. To ensure that they can be quickly leveraged in a COTE-level incident, a COTE policy should direct that the federal government collaborate with the private sector and academia to evaluate relevant authorities, provide legal analyses that will enable rapid utilization, and identify gaps in authorities that could hinder effective COTE activation.
7. Ensure a COTE plan prioritizes situational awareness, resource requirements, mechanisms to implement emergency authorities, and public-private operational coordination. Developing an actionable plan to ensure minimum viable functioning for essential economic services requires capabilities to determine near real-time infrastructure operations, determine gaps in minimum viable functioning (determined in advance of disruption), identify and communicate resource needs, and support rapid and effective implementation of emergency authorities. The COTE effort must be based on effective operations that support rapid decision making and execution beyond the day-to-day analytic and preparedness efforts that enable it.