By Timothy L. Beres, Vice President and Director, Safety & Security
Over the past few years, all levels of government have discussed cybersecurity and the United States’ vulnerability to an attack. The 2012 National Preparedness Report (NPR) and the 2011 Nationwide Cyber Security Review (NCSR) confirmed the anecdotal suspicion that gaps exist in the nation’s cyber preparedness. In particular, the NPR identified cybersecurity as a Core Capability requiring national improvement; in fact, while cyber attacks have increased in frequency, state assessments show that cybersecurity reflects the lowest capability level based on desired targets. The NCSR found that 45 percent of state and local respondents have not implemented a formal cyber risk management program, and 66 percent have not updated their disaster recovery plans in the past two years. In addition, the Federal Emergency Management Agency sponsored National Level Exercise 2012 (NLE 12) earlier this year, which was the largest cyber exercise to date conducted in the United States. NLE 12 confirmed the findings in the NPR and NCSR, revealing that the nation lacks effective plans for managing a significant cyber incident that causes both cyber and physical effects.
The results of NLE 12 and the findings from the NPR and NCSR raise questions that are similar to those posed after response to natural disasters like Hurricane Katrina and after other large-scale terrorism exercises. For example, how will government agencies and private-sector providers collaborate to share information and detect cyber incidents? How will emergency management and information security professionals coordinate to respond to a cyber incident with physical effects? What cyber resources are available, and what processes can be leveraged to quickly allocate them to state and local governments? While these questions seem daunting, we cannot be afraid to address them.
Even though gaps exist in cyber-response capabilities, the news isn’t all grim. In fact, the current state of preparedness is similar to where other capabilities were a decade ago, yet positive change has since been implemented in those areas. For example, several years ago, communications interoperability existed only in a very narrow sense within individual response disciplines. Rarely did it cross disciplines, and even more rarely did it cross jurisdictions. This had been a satisfactory level of capability when dealing with everyday events. However, when larger and more complex events began requiring multiple public safety disciplines to respond or for multiple jurisdictions to communicate, the capability was inadequate. In response, through programs sponsored by the Office for Domestic Preparedness and SAFECOM, the federal government has helped state and local jurisdictions understand the components of interoperable communications, the steps needed to improve interoperability, and the process to apply for federal funding to support these activities. With tremendous efforts and investment from state and local communities, interoperability has greatly improved in the United States.
The same success story can apply to cybersecurity. While response to threats and preparedness efforts have often been addressed solely within information technology (IT) or information security departments (fragmenting it from larger preparedness efforts), state and local jurisdictions have begun to understand the scope of the cyber threats they face. To continue to improve preparedness, these jurisdictions need to fully integrate cybersecurity into their emergency preparedness activities. This is not a simple task, as it requires two communities that do not traditionally work together—the emergency management and IT communities—to collaborate to assess risk, estimate requirements, build capabilities, develop plans, and validate capabilities.
In addition, a cyber preparedness grant and technical assistance program would help to focus attention on this critical capability. That focus could be provided through a Statewide Cyber Preparedness Coordinating Group that would administer the program as part of a state’s overall homeland security governance process, thus driving collaboration among emergency management and IT stakeholders. As with communications interoperability, cyber preparedness can be viewed as a continuum. By taking actions to move forward on the continuum, a jurisdiction can mature its processes for assessing risk, addressing critical gaps, implementing actions to improve preparedness, testing newly developed plans via exercises, and sharing information—all of which would help to improve cyber preparedness.
Ultimately, the nation is behind in its efforts to develop the capability to prevent, protect against, mitigate, respond to, and recover from large-scale cyber incidents, so all levels of government should focus on augmenting this capability. Just because the threat is different, we cannot be afraid to address it from an emergency management perspective. The nation has demonstrated (with some incentives and guidance) a remarkable ability to make significant improvements in capability in a short period of time. Now is the time to focus our efforts on cybersecurity.