Resilience

Big News About Cyberthreats

by Dawn Thomas

The emergency services sector faces many daily challenges that are exacerbated when data breaches and cyber attacks occur. Addressing public concern for incidents with life and safety consequences is one of the greatest challenges that public information officers must be prepared to manage as the number and frequency of cyberthreats continue to rise.

In a world of social media and 24/7 news coverage, those in emergency preparedness fields have worked hard to better integrate public information and warning with emergency services. These efforts have paid off. For the past four years (2012–2015), the public information and warning core capability (1 of 32 core capabilities under the National Preparedness Goal) has ranked as one of the top nine capabilities for which states feel they are most prepared. However, during these same years, the cybersecurity core capability – which includes preventing, detecting, and responding to attacks – has ranked last. Providing public information and warning during the response to a cyber incident is an ongoing challenge for public information officers (PIOs) in the emergency services sector.

Cyber Incidents Threaten the Emergency Services Sector The emergency services sector (ESS) comprises the fields of: law enforcement; fire and emergency services; emergency medical services (EMS); emergency management; public works; and public safety communications and coordination, including fusion centers. As noted in the 2015 Emergency Services Sector-Specific Plan, the ESS has become increasingly dependent on cyber assets, systems, and disciplines. Although this reliance has resulted in improved operations, it is also associated with new risks. Whether cyber incidents are caused by natural occurrences (such as hurricanes, earthquakes, and tornadoes), accidents (such as hazardous materials spills), failures of systems or structural technology (such as electric grid failures), or the intentional actions of an adversary (terrorist attacks), cybersecurity incidents are increasing not only in number, but also in the cost of impact.

As cyber incidents affect various sectors across the United States – including retail, banking, and academia – the stakes are raised when incidents directly affect those who are supposed to protect U.S. citizens (such as government institutions) or take down relied upon services (such as 9-1-1 systems, power, medical equipment/hospitals). Two types of cyber incidents are likely to affect the ESS (and the constituencies they serve) the most: (a) data breaches; and (b) cyber incidents with life and safety consequences.

Data Breaches Data breaches have become commonplace in the private sector. Financial, gaming, travel, telecommunications, and energy companies have all experienced losses of millions of records that include large amounts of personallyentifiable information. As revealed in 2015, the government is not immune to data breaches and, in some cases, is a particularly attractive target for adversaries. In the past 10 years, several government sites experienced data breaches of more than 100,000 records, including Medicaid, the U.S. Department of Veterans Affairs, the Internal Revenue Service, and the U.S. Office of Personnel Management.

Likewise, members of the ESS have experienced data breaches of their own personnel and their constituencies. For example, according to the Information Is Beautiful website, in 2011, one group of hackers published 2,719 social security numbers, 8,214 passwords, and 48,182 street addresses from more than 70 different U.S. law enforcement agencies. The ESS also dealt with breaches of patient information through ambulance services in: Philadelphia, Pennsylvania; Yuma, Arizona; and Morrow County, Ohio.

Cyber Incidents With Life & Safety Consequences In addition to data breaches that cause loss of personallyentifiable information, cyber incidents also affect the physical world and have life and safety consequences. For example, computer-aided dispatch services (such as 9-1-1) can be interrupted, services that run trains or airplanes can go down, and surveillance systems can be jammed or blocked. For each of these types of incidents, direct consequences would threaten public safety and the wellbeing of specific individuals. For example, a series of technological incidents caused widespread blackouts in summer 2003, leading to at least 11 deaths. In addition, major U.S. cities such as New York, Los Angeles, Austin, Chicago, and Seattle have experienced failures of their 9-1-1 systems in the past five years that have been linked to loss of life and less-optimal patient outcomes.

Cyber Incidents Become Public As cyber incidents become commonplace, the chance that information about the incident would reach the public has become almost a certainty. As noted in the first exercise of the 2012 National Level Exercise series, senior decision-makers acknowledged that information about the cyber incident and resulting vulnerabilities would be leaked, and called for a strong public information campaign. In a December 2015 fusion center cybersecurity exercise, one ESS participant stated that cyber incidents are released to the public almost immediately, and that the chances of keeping a cyber story out of the public realm was “slim to none.”

Although early release of information is, in large part, the reality of social media and 24/7 news coverage, there are other, more complex reasons for the early promulgation of news regarding cyber incidents. The first relates to the size, scope, and targets of recent data breaches. From the U.S. Office of Personnel Management to big-box stores such as Target, national-level organizations have experienced breaches that involve huge numbers of the public. The media reports have been full of stories about the loss of millions of credit card numbers and other personallyentifiable information, socializing the public for continued news and attention on cyber incidents. 

The second reason is the rise of “hacktivism.” Gone are the days when teenagers hacked into government websites just to see if they could do it. Instead, activists are combining political beliefs with their hacking skills and are using the hack as a protest, or as a demonstration of either their own capabilities or some technical, political, or social flaw in the subject of their hack. Perpetrating the hack is only part of the equation; people have to hear about and/or see it to fulfill the purpose. For this, 24/7 news cycles and social media are the perfect mediums for hacktivists to communicate and share information about cyber incidents they caused or support. For example, the hacktivist group ”Anonymous” has become extremely newsworthy for their cyber activity in support of the Arab Spring and against Islamic State group, and for taking down large corporate websites, such as MasterCard, Visa, and PayPal.

Finally, increased public awareness can be attributed to the rise of the use of “ransomware,” in which criminals take control of a person’s or company’s data until the victim pays a ransom. The Federal Bureau of Investigation recently warned that this type of attack is on the rise. From April 2014 through June 2015, victims of the most popular ransomware reported losses totaling more than $18 million. As in any ransom scheme, victims must be informed of the crime in order for perpetrators to be paid, which increases the number of people who are aware of the attack. In addition, the monetary value of the losses has moved this type of crime into mainstream media.

The Challenges for Public Information Officers There are serious consequences to not providing accurate, timely information to the public in response to both data breaches and cyber incidents with physical effects. For a business, a breakdown in public relations might be a loss of confidence that affects revenue. As documented in the 2012 Emergency Services Sector Cyber Risk Assessment, these consequences can have greater implications for ESS, including a lack of public confidence and trust in emergency response and services, and possibly even confusion or panic. 

Despite the importance, there are few resources to support crisis communications in response to a cyber incident. What does exist seems to focus almost exclusively on a private sector model of notifying those who have had personallyentifiable information stolen. However, when the target is local, state, or federal government, it raises concern about how to use public communications in a way that ensures that the public maintains a trust in government agencies, in the water they drink, in the trains they ride, and in the power they use.

In planning for cyber incidents that affect the ESS, PIOs are forced to face several challenges, including:

  • Responding without the benefit of a playbook – Many jurisdictions do not have a response plan for cyber incidents, or they have a plan that fails to include strategies for disseminating information to the public. Similarly, even jurisdictions with strong public communications plans do not have annexes or sections that deal specifically with cyber incident response. 

  • Being uncertain about when to make information public – Although training and experience have led many ESS PIOs to believe in early notification, many in the private sector maintain that it is critical to wait to inform victims of a breach until the cyber investigation takes a more definite shape. However, the tipping point for sharing information with ESS members or constituencies remains unclear. While those in the ESS might be loath to alert the public without solutions in hand, those affected (either directly or indirectly) are likely to know something is occurring long before solutions are even a possibility.

  • Recognizing the reality that physical effects will be seen and felt – If a cyber incident (whether natural, technical, or human-caused) turns utilities off, crashes a train, or brings 9-1-1 or emergency medical records systems offline, the public would notice. The story would be in the news long before it is even clear that it was a cyber incident, and PIOs would have to act quickly to get ahead of the story.

  • Providing the right level of detail – By the very nature of many cyber incidents, describing what happened leads to a technical discussion. The challenge of the PIO is to provide information that is technical enough to accurately describe what happened, but not so technical that the average citizen cannot understand it.

  • Balancing information sharing with ongoing investigations and protection efforts – Explaining what occurred without exposing weaknesses in critical infrastructure is challenging. PIOs must work closely with law enforcement/cyber investigation units to find a level of detail that: (a) is informational, yet does not provide too much awareness to copycats who might want to exploit the situation; and (b) does not interfere with ongoing investigations.

  • Identifying (and providing the right information for) different stakeholder groups – Although informing victims of the breach is largely regulated by states (47 states have enacted legislation about notification of security breaches that involve personallyentifiable information), informing the public of a breach is not regulated and not well understood. This is especially an issue in the ESS, which is responsible not only for actual public safety, but also for maintaining the promise of public safety. Related questions include:

    • Is there a right time to inform the public that the police department has been breached, or that EMS data (even if perpetrators have not taken avail of it) has been made public?

    • Would the content of the message to the public differ from the message provided to inform victims? 

  • Balancing the communication between providing information and causing fear – Human-caused cyber incidents are likely to require different communications than those that are due to natural or technological issues. Those directly affected by the attack as well as those within the (unaffected) public might have a sense that the threat is ongoing, could escalate, and is specifically targeting Americans. As a result, PIOs must understand and account for the fear factor that might accompany a targeted attack on the ESS.

Public Information Officers Need to Prepare PIOs from the ESS face a great number of challenges when it comes to responding to a cyber incident. There are not many resources to support efforts, but there are actionable items that PIOs and ESS members can do now to prepare themselves and their communities for cyber incidents:

  • Document procedures – Ensure that jurisdictions have a cyber annex to emergency operations plans. Cyber annexes should include crisis communications plans; likewise, crisis communication plans should include cyber annexes. In all cases, plans should address how law enforcement officers, information technology (IT) professionals, and PIOs coordinate response activities during a cyber incident.

  • Develop toolkits for cyber incident response – Define common types of attacks and technical terms, pre-script press releases on common topics, and develop contact lists for any subject matter experts that may be required.

  • Conduct multidiscipline, multijurisdictional exercises – Ensure that cybersecurity exercises bring together IT experts, cyber investigators, emergency managers, hospital staff, decision-makers, and PIOs. Design exercises (and set up the room) in a way that brings representatives from each discipline and jurisdiction together to work through the different stages of a cyber incident response.

  • Do not stop at response; plan for recovery efforts – Recovery depends on restoring trust, and restoring trust relies heavily on getting the message out to the public about what happened, what actions were taken to fix the situation, and how things will improve in the future. Even when citizens do not need to take any specific actions, staying informed during the incident might help rebuild trust during recovery phases. Continued communication throughout a recovery period may support the return to status quo, ensuring that the public maintains confidence in the ESS.

Going Forward: A Growing Number of Cyber Conc