Disaster Discourse: The Hagerty Blog

How Ready are You to Respond to a Cyber Attack?

How Ready are You to Respond to a Cyber Attack? Four Things You Can Do to Prepare for a Better Response

Cybersecurity was the fifth highest-rated priority core capability, but the lowest-rated in proficiency, among all 31 core capabilities in FEMA’s 2016 National Preparedness Report. This means that security professionals and emergency managers believe cyber threats are a significant risk, but very few are prepared to deal with the threat.

The relationship between cybersecurity and emergency management is a hotly debated topic among information security experts and emergency management professionals. Purchasing and maintaining cyber systems is the responsibility of information security specialists – or Chief Information Security Officers (CISOs) – and the prevailing assumption is that the consequences and effects of a breach will remain in cyber space.  Therefore, response to an incident will be led and supported almost exclusively by information security experts, not emergency managers. But has this assumption of full-cycle ownership, the assumption that the CISO is responsible for dealing with the aftermath of a largescale cyber-attack, hampered our ability to adequately prepare?

Governments, businesses and individuals are being targeted on an exponential basis. In 2015 a leading internet security firm discovered more than 430 million new unique pieces of malware, a 36 percent increase of the intrusive forms of software from the previous year.[1] And in this environment of increased threat, public infrastructure is becoming a target of choice among both individual and state-sponsored cyber-attackers, who recognize the value of disrupting what were previously thought of as impenetrable security systems. It seems inevitable that these targeted attacks are going to disrupt critical public services: electricity, potable water, communications, transportation, and many other vulnerable systems.  The aftermath will require an unexpected lead coordinating role by emergency managers that directly impact cyber response and recovery tasks. Do we as emergency managers know enough about cyberspace and response procedures to be able to provide adequate support?

Returning to the National Preparedness Report, States are prioritizing and emphasizing preparedness on cybersecurity, with over 70 percent claiming that they perceive ownership of addressing cybersecurity capability gaps as entirely or mostly a state and whole-of-government responsibility. So while cybersecurity was once thought of as a predominantly federal-level responsibility, it is gradually being underscored for what it’s actually always been – a whole community preparedness responsibility.

Four Things You Can Do to Protect Your Systems from Uncertain Threats:

So what can government agencies and companies do to better prepare for a cyber threat that may disrupt critical public services?

  1. Conduct Risk and Gap Assessments: If conducting a jurisdiction or company-wide risk assessment for cyber infrastructure (and infrastructure reliant upon it!) is outside the realm of fiscal and resource possibility, consider starting with a single sector or function. Begin with utility infrastructure, or water infrastructure, or first response equipment and the emergency communication center, and work through what’s most important/critical to your jurisdiction first. Bit by bit, you’ll be able to identify where you’re most vulnerable can then figure out ways to fill any shortfalls in your systems through mitigation tactics.
  2. Develop Plans: Planning for cyber response doesn’t necessarily equate to developing a formal Cyber Incident Response Plan, or Information Technology Disaster Recovery (IT/DR) Plan, as typically managed by CISOs. An emergency management-focused cyber response plan should:
  • Consider the specific command and communication processes that will be required post-cyber incident and specifically when communications mechanisms might be taken off the grid.
  • Delineate the do’s and don’ts of what you can say, when you can say it, and who you can say incident-specific information to, in a criminally-based cyber event.
  • Identify the roles and responsibilities of key response and recovery players if an entire sector is no longer functional. How do response and recovery actions change from other response plans once an entire function/sector is not capable of stepping up to the plate? Which leads to…
  1. Test and Exercise: Developing exercises that stress the ability of key partners to communicate, coordinate, and effectively respond to a cyber incident through the long term recovery phase, is paramount to preparedness. If your risk assessments and plans are complete, consider developing an exercise to test your planning assumptions. Do the players know when a “run-of-the-mill” cyber incident will escalate and require the attention of emergency managers? When will an EOC require activation – at the first sign of a breach, or when the lights are already out (assuming there is any lag time between initial breach and the cascading effects)? Do CISOs and emergency managers use the same response language? What does economic recovery look like in the wake of a devastating attack? These are all important things that must be tested and exercised to ensure that your jurisdiction or company is prepared for the real event.
  2. Train Personnel: Finally, consider training staff on how to be responsible internet/cyberspace users. In addition to ensuring that computers and accounts are password protected and that users know not to click on suspicious emails; train your information security professionals and emergency responders on how to work together in a response situation. Chances are good that you will find they use the same terminology for different things, and it will be absolutely critical to discern these nuances before it’s too late.

Much like other threats and hazards, planning, training and exercises will better prepare your jurisdiction or company for a cyber-attack, but the approach might be slightly different than the normal process. Cybersecurity is the responsibility of every level of government – and it’s incumbent upon everyone to ensure that their systems and people are prepared to respond swiftly and effectively. Where do you fall on the cyber preparedness spectrum?



[1] Symantec. “Internet Security Threat Report.” Volume 21, April 2016.  Available for download here.