Disaster Discourse: The Hagerty Blog

Bridging the Gap: Understanding the Role of Emergency Management in Cybersecurity Planning and Response


Between October 25 and 26 of 2016, 911 emergency dispatch centers in at least a dozen states from California to Florida were overwhelmed by what investigators now believe was the largest cyberattack on the country’s emergency-response system. The attack caused hundreds of smartphones to dial 911, flooding call systems with excessive phone traffic. Although no injuries or deaths were linked to the resulting disruption in service, this is a key case study in which a cyber incident, linked to a piece of malicious code pushed out by Twitter, has triggered cascading, real-world effects, compromised public safety, and necessitated an increased role in response from the emergency management community.

Cyberattacks can compromise real world systems and have real world effects far beyond the initial breach, and the recent 2016 attacks are not the only high profile attack with real-world effects. In 2014 breaches to the Office of Personnel Management (OPM) resulted in the theft of personally identifiable information for tens of millions of people. The attack has been linked to China. A cyberattack on Sony Pictures in 2014 led to leaks of information such as personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films. This attack was later linked to North Korea.

Kinetic Cyber Threats and Emergency Management

Although the attacks on OPM and Sony show that personal information has been a key target, recent trends indicate that actors are now setting their sights on compromising critical infrastructure, introducing the involvement of emergency management.

As adversaries seek to target critical infrastructure using malware, the reality of the virtual world colliding with the physical world and causing real world damage becomes more apparent. Should threat actors be successful in compromising a piece of critical infrastructure, affects could be catastrophic. In fact, in early January, an electricity provider in Vermont detected advanced malware in their system linked to the same malware affiliated with the Russian hack of the Democratic National Convention. Vulnerabilities exist within communities, large and small, here in the US, and that a successful attack on critical infrastructure has the potential for devastating effects to public life and safety. A malware-based incident at a wastewater treatment plant could directly lead to a public health crisis by causing untreated water to backlog into fresh water. Although a compromise to any one piece of infrastructure considered critical could be considered catastrophic, among the most devastating would be a large-scale compromise to the electric grid. A compromise to the grid could not only cause a severe blackout, but could trigger innumerable cascading events, including transportation disruptions, food shortages, and communications systems failures.

What Does This Mean for Emergency Managers?

As cybersecurity threats continue to evolve and hostile actors, possibly supported by foreign states, target public and private information technology (IT) infrastructure, the emergency management community is faced with a dilemma in addressing cybersecurity; the disconnect between the culture of departments responsible for maintaining IT, critical infrastructure, and emergency management. Hagerty Consulting has three key recommendations to assist emergency managers to bridge this gap.

Recognize the Problem – The first step is recognizing and understanding the key challenge; historically, IT and emergency management functions have been separate and distinct, which often leads to the assumption that emergency management does not have a role in cybersecurity planning and response. IT is responsible for the prevention of cybersecurity threats through mechanisms such as system hardening, software patching, and penetration testing, Emergency management handles physical response through the deployment of first responders and their equipment. With functions that are so inherently distinct, it is often difficult to conceptualize tangible linkages between the emergency management and IT functions within government. However, the evolving threat landscape necessitates a deeper collaboration between IT and emergency management than what currently exists as sophisticated adversaries aim to compromise key pieces of critical infrastructure.

Establish Pre-Event Relationships with IT and Private Sector Partners – Emergency managers should collaborate with their partners in IT departments and the private sector before an attack occurs. Helping emergency management respond to cyber threats is not to force first responders to learn coding or train them in malware identification. Instead, bridging the historical gap between the IT and emergency management community’s means tapping into emergency management’s strength of operational coordination and communication. Furthermore, collaborating with private sector partners, who own a significant portion of critical infrastructure, will ensure that response is streamlined. In a significant cyber event that has kinetic effects, IT would manage the virtual response (e.g. quarantining the malware, scanning systems) and emergency management would manage the physical response (e.g. establishing unified/area command, managing on-scene incident management); while both entities ensure response is being coordinated throughout the incident.

Develop a Mechanism for Operational Coordination in Cyber Incident – Emergency managers should take steps to ensure that relationships with IT partners are actionable and executable. The key is establishing a mechanism for operational coordination to ensure IT and emergency management are collaborating throughout the response, and not operating in a vacuum. This could include developing cyber threat annexes to their Emergency Operations Plans; implementing a framework for cyber incident response and operational coordination with IT; establishing clear roles and responsibilities and assigning ownership; and conducting workshops, trainings, and exercises with IT partners to review mechanisms for collaboration in a cyber incident.

Siobhan Mullen is a Managing Associate and the Project Lead for Hagerty Consulting’s Cyber Preparedness Portfolio. Ms. Mullen has served as project manager and lead planner in a multitude of preparedness planning efforts, including continuity of operations, evacuation, mass care, disaster recovery, and training and exercise. She has a bachelor’s degree in Administration of Justice and a master’s degree in Cybersecurity and Intelligence.