This article was first published by BRINK here.
As the U.S. kicks off the 2022 hurricane season, another potential disaster looms large. With the Russian invasion of Ukraine and other ever-present the criminal and terrorist threat actors, the risk of a cyber disaster is mounting. Meanwhile, those responsible for responding to such a disaster remain largely focused on “traditional” disasters.
As the head of the U.S. Department of Homeland Security agency responsible for managing these risks, Cybersecurity & Infrastructure Security Agency (CISA) Director Jen Easterly described the threat landscape and identified potential targets in a recent 60 Minutes interview. “We are seeing evolving intelligence about Russian planning for potential attacks. And we have to assume that there’s going to be a breach. There’s going to be an incident. There’s going to be an attack.” Director Easterly identified the energy and finance sectors as particularly likely targets.
Most assume cybersecurity to be the domain of technology professionals. As Carolyn Harshman, president of the International Association of Emergency Managers told me: “Too often, cybersecurity is thought of as a business continuity or IT issue.” The reality is that those on the front lines of managing the physical consequences of a cyber disaster would be the same who respond to hurricanes, tornadoes and floods. “These are the emergency managers at all levels of government and the first responders in each of our communities,” said Harshman.
Recall the ice storm that crippled the electric grid in Texas last year. The cold weather exacerbated the power loss, as those impacted struggled to stay warm and care for themselves and their families. Imagine instead it was a cyberattack that caused the disruption. The consequences would be the same, or worse. Such an attack could be timed to coincide with high energy demand, such as the summer months when health risk from heat is highest. Thousands could die if timed for greatest impact.
Not only is the cyber threat real, but a seemingly unrelated disaster demonstrates why preparing for a cyber disaster should be a priority. The pandemic has yielded lessons that a cyber preparedness plan should include.
First, the pandemic exposed vulnerabilities in many sectors. From inadequate security safeguards for largely remote workforces to supply chain shortages of critical technologies, COVID demonstrated the potential shortfalls in the nation’s ability to protect itself from future cyberattacks. These vulnerabilities could amplify any impacts from an attack, thereby complicating a response to the physical consequences of a cyber disaster.
Second, the pandemic forced the cancellation of a major cyber exercise that we had spent years planning at the Federal Emergency Management Agency (FEMA). National Level Exercise 2020 (NLE 2020) would have been the nation’s largest cyber exercise. Without it, the realistic scenario it envisioned was not tested, and the gaps it would have likely exposed have not been closed.
Americans are ill equipped to defend against the increasing sophistication and volume of cyberattacks.
Third, the pandemic also laid bare the challenges facing emergency managers as “all hazards” practitioners. Just as many mistakenly believed early in the pandemic that COVID was a health emergency and only belatedly realized the role of emergency managers, so too are catastrophic cyber incidents also almost certain to fall to emergency managers.
What Can Be Done?
What can be done to prepare those charged with protecting us from the consequences of cyber disasters? Much like a “traditional” disaster, preparing for future contingencies is critical. This should include core elements of preparedness such as planning, training, equipment and exercises.
Having overseen FEMA preparedness programs from 2017-2020, I directed an internal review of agency cyber preparedness program. In 2019, I publicly released our findings: “We offer over 20 online and in-person courses, focused on everything from network assurance and digital forensics, to information security and cyber incident response. Since 2004, FEMA has trained more than 87,000 federal, state, local, tribal and territorial officials on cybersecurity.”
Today, FEMA offers over 40 such courses. The challenge, says IAEM President Harshman, “is to ensure that emergency managers are aware of and have access to these courses.” Further, “Cybersecurity must be integrated into existing ‘traditional’ emergency management courses to ensure cyber response becomes a core competency of our profession.”
I also found during our earlier FEMA review that the agency had provided $165 million over 10 years to strengthen state and local government cyber preparedness. While it seemed substantial at the time, it pales in comparison to the overall need. Thus the $1 billion cyber grant program included in the recently enacted infrastructure law represents an unprecedented opportunity to bolster state and local preparedness for cyber disasters. FEMA and CISA are currently finalizing the grant guidance for the new program, which is anticipated to be released this summer.
To ensure a robust response should a catastrophic cyber disaster occur, a strong working relationship between the government agencies responsible for cybersecurity and disaster preparedness is necessary. At the federal level in the U.S., this is principally FEMA and CISA. When I was at FEMA, we made it a priority to collaborate with CISA. Whether it was grant guidance, exercises such as NLE 2020, or response planning, we worked with our sister DHS agency as partners. Going forward, such a partnership will be critical.
In a January 2022 position paper, the National Emergency Management Association (NEMA) stated that “questions abound relating to the federal government’s processes for responding to major cybersecurity attacks.” To address these concerns, the association representing state emergency management directors proposed an Integrated Program Office between FEMA and CISA to “coordinate all policy and response doctrine as it would apply to cybersecurity, critical infrastructure protection, and any other subject of shared interest.”
The same collaboration should be a priority at the state and local levels and with the private sector. State and local governments should pair their technical experts (Chief Information Security Officers), with their operational responders (emergency managers). And given that the vast majority of the nation’s critical infrastructure is owned by the private sector, this is not a challenge the government alone can solve. Strong partnerships between industry and all levels of government will be necessary to confront this threat.
Finally, at the individual level, we must all take our cyber responsibilities seriously. Brian Hastings, director of the Alabama Emergency Management Agency, told me “Americans are ill equipped to defend against the increasing sophistication and volume of cyberattacks.” Hastings, who also chairs the NEMA Homeland Security Committee added: “Humans are simultaneously the vulnerability, the target, the enemy, and the solution on the front lines making cybersecurity awareness, training, and education a shared responsibility and crucial to reducing our collective risk to attacks.”
Cyber Preparedness Must Be a Priority
A new RAND study finds that responding to a cyber disaster will likely be far more challenging than responding to a traditional disaster. Largely this is because of the nation’s inexperience with responding to catastrophic cyber incidents and thus officials must develop plans and test these capabilities before an incident occurs. The study provides yet more evidence that bolstering the nation’s cyber preparedness now should be a national priority.
Just as emergency managers and first responders prepare for “traditional” disasters, so too must they prepare for cyber disasters. Just because there isn’t a cyber disaster season, doesn’t mean it isn’t time to prepare now.