All emergencies may be local, but it is clear that all responses involve far more than local agencies. Determining which organizations should be involved and the roles they will play has proven challenging at all levels of government for nontraditional catastrophic emergencies such as chemical or biological attacks. When it comes to a cyberattack, emergency managers often struggle to understand the nature of cyberthreats, cybersecurity’s place in emergency response, and the decision-making process for a true all-hazards approach that includes cybersecurity.
The Challenge of Cyberthreats
In many ways, a cyberattack is similar to a biological threat like anthrax. That is, it may take some time to realize an attack has indeed occurred, and then the challenge is to understand the geographic scope and level of damage. Then too, for many emergency managers, responding to cyberthreats requires a new lexicon and an understanding of concepts not previously integrated into emergency management. For example, restoring some types of infrastructure may require bulldozers and heavy machinery to remove debris in addition to reconstruction of physical buildings. Restoring cyber infrastructure could require replacement information technology equipment, a surge of technical expertise, changes in policies, more robust encryption of information sources, and repopulation of extensive databases, some of which is privately owned.
Defending and restoring cyber infrastructure also requires coordinating with a different set of organizations than those typically involved in emergency decision-making. Responding effectively to most hazards requires regional coordination and a multijurisdictional decision-making process with financial authority to allocate resources. Multiagency coordination allows jurisdictions to coordinate across a broad range of functional areas, such as fire, law enforcement, public works, and public health. However, much of the infrastructure needed to maintain cyber connectivity is privately owned, and many of these private sector owners are not clearlyentified as being part of the restoration effort following a catastrophic incident.
Building Cyber Response Into the National Incident Management System
The National Incident Management System and its implementation at federal, state, and local levels include a well-organized and tested notification process. As it becomes clear to an emergency response agency that a major emergency is happening, that agency calls on its local emergency operations center (EOC), perhaps with limited staffing at first, but growing as agencies understand the true nature and depth of the emergency. The local EOC in turn may notify adjacent EOCs and the county and state EOC, as needed, for support.
Emergency managers need to think carefully about how to build the response to a cybersecurity emergency into this system. Those creating a cybersecurity-related attack may have several intents such as a denial of service, theft of private or proprietary information, or disruption of critical infrastructure such as the financial system or the electrical grid. Depending on the intent and the level of success, an attack could lead to a range of consequences including power outages, transportation system disruptions, and banking system failures. Even the systems inside the EOC may be impacted.
If the attack first makes itself apparent within an infrastructure provider like a phone or financial services company, the company will seek to mitigate damages to its systems and minimize corporate liability for lost data. Calling an emergency management agency may be low on the list of priorities,entifying which agency even more problematic. Theft of data may not require a public safety response, but a denial of service attack could affect life services infrastructure like power. Such an attack could become a major issue, particularly during a prolonged outage. If the power company does not know the nature of the attack, representatives may call emergency services, and an EOC may be stood up. Unfortunately, lack of information on causality could delay the process of response unless EOCs have cyberteams available to provide advice and support.
What is needed is a protocol that addresses which agency to call in the event of a suspected cyberattack, when such calls should be made, what information to provide, and how to create a liaison between experts in cybersecurity and other members of the EOC to provide situational awareness and advice. Once developed by representatives from the private and public sector infrastructure providers, this protocol needs to be clearly communicated to all and tested through exercises.
Taking a True All-Hazards Approach, Including Cyber
Responding to a cybersecurity emergency requires a true all-hazards approach with clear lines for decision making. Various regions across the nation have tried both top-down and bottom-up approaches for responding to all-hazards. For example, the Transportation Recovery Annex to the Puget Sound Catastrophic Disaster Coordination Plan offers three options to facilitate coordination and refine criteria for setting regional priorities concerning transportation during a wide-scale emergency:
Bottom-up approach, in which local jurisdictions organize working groups to address regional issues;
Utilization of existing organizations and institutions such as the Metropolitan Planning Organizations and Regional Transportation Planning Organizations to resolve issues; and
Top-down approach, in which the State establishes task forces or working groups to address regional issues as part of the governor’s long-term recovery strategy.
These approaches are not mutually exclusive and could be used in combination, with emergency response leadership tailoring the response to a particular situation. A bottom-up approach may be more effective for cybersecurity if local resources include expertise in that area. As with any multiagency coordination planning effort, the key will be to bring the right people to the table to plan and test strategies before an actual event. With cybersecurity, an added requirement will be more-frequent updates to any plan given the nature of the rapidly evolving threats.
This material is based on work supported by the U.S. Department of Homeland Security under an interagency agreement with the Pacific Northwest National Laboratory. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security.
Ann Lesperance is the director of the Pacific Northwest National Laboratory Northwest Regional Technology Center for Homeland Security located in Seattle, Washington. She works with state and local emergency responders and public safety officials to understand and help prioritize their operational needs and requirements. She also has a joint appointment to Northeastern University-Seattle where she leads efforts to build the master’s program in Security and Resilience Studies and Urban Informatics and has a faculty affiliate appointment with the university’s Global Resilience Institute.
Steve Stein is the executive director of PISCES. As such, he is responsible for the day-to-day business operations and expansion strategy for PISCES. He retired in 2017, after 38 years with Pacific Northwest National Laboratory where he served as a senior program manager and director of the Northwest Research and Technology Center providing new solutions to first responders and emergency managers. He can be contacted by phone at 206-335-1916 or by email at email@example.com. Website: Pisces-intl.org