Cyber disruption: Is your government ready?

Governments around the globe are rushing to prepare for computer-generated threats that can cause real-world calamity to our way of life. And while opinions vary on the likelihood of human error causing a major crisis or hostile cyberthreats causing severe societal disruptions, few argue against being prepared. So how are leading governments getting ready for inevitable cyber emergencies?

by / February 1, 2015

Railroad broken

Credit: Shutterstock/Lightspring 

Computer failures cause a major train crash leading to nine deaths on a Washington D.C. Metro line.

The FBI reports that a Chinese cyberattack invaded U.S. control systems and gained the cyberkeys necessary for access to systems that regulate the flow of natural gas.

Human error causes a computer glitch that shuts down New York trains for almost two hours.

Air Asia probe uncovers possible computer glitch that may have contributed to the deadly December 28, 2014 crash.

Distributed denial of service (DDoS) attacks shuts down leading banks.

Flights are disrupted affecting tens of thousands of travelers throughout the United Kingdom (UK) after an “unprecedented system failure” grounded flights.

There are many different names for it – a computer glitch, a denial of service attack, a breach of security or a cyber-disruption. But whether the cause is poorly written computer code, inadvertent operator error, intentional insider threats or an external cyberattacks from enemies of the state, one simple question must be answered: Is your government prepared to respond?

There is no doubt that the threat of cyber disruption is growing across the globe. According to this report by British Telecom in 2014, disruptive cyberattacks are a growing concern for UK companies, with one in five organizations having their systems taken down for an entire working day due to denial of service attacks alone, which is just one of many computer-related threats.

(Note this quote uses UK spelling from the original report):

The research reveals that 41 per cent of organisations globally were hit by Distributed Denial of Service (DDoS) attacks over the past year, with more than three quarters of those (78 per cent) targeted twice or more in the year.

DDoS attacks are seen as a key concern by more than a third of UK organisations (36 per cent). Globally the worry is even greater, with almost twice as many organisations naming the attacks a key concern (58 per cent).

Cyber Incident Definitions Vary

What is a cyber emergency?

Unlike emergencies from natural causes like ice storms, hurricanes or tornadoes, a cyberdisruption can be difficult to predict and even harder to know when the attack has truly ended.

Nevertheless, governments around the world are scrambling to deal with this new 21st-century reality.

The Federal Emergency Management Agency (FEMA) has a Cyber Incident Annex which lays out many definitions and “Policies, organization, actions and responsibilities for a coordinated, multidisciplinary, broad-based approach to prepare for, respond to, and recover from cyber-related Incidents of National Significance impacting critical national processes and the national economy ...”

FEMA cyberincident of national significance definition is as follows: “A cyber-related Incident of National Significance may take many forms: an organized cyberattack, an uncontrolled exploit such as a virus or worm, a natural disaster with significant cyberconsequences, or other incidents capable of causing extensive damage to critical infrastructure or key assets.…”

The National Infrastructure Protection Plan (NIPP), which was updated in 2013, outlines “How government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes.”

The NIPP also lays out sector-specific definitions and actions to protect critical infrastructure from all types of hazards – including cyberthreats.  

And yet, the overall coordination of roles and responsibilities for responding to various types of cyberemergencies remains a serious challenge for governments around the world. The very fact that over 80 percent of critical infrastructure is owned and operated by the private sector is also a complicating factor, requiring new types of coordination, information sharing and emergency management exercises.

The steps being taken by several states are highlighted at the end of this blog. In addition, the National Association of State Chief Information Officers (NASCIO) is currently working on a new cyberincident response planning template for states to follow. The U.S. Department of Justice grant-funded project should be completed later this year.

Are Cyberattacks Increasing?

Krebs on Security recently highlighted a report from Arbor Networks that described the increase in cyberattacks last year. Here's an excerpt:

Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year.

Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.

Even more alarming, national security leaders have been saying for years that these cyberattacks are just a precursor to worse incidents to come. 

Back in 2012, former Defense Secretary Leon Panetta warned of a “Dire threat of a cyberattack on the U.S.”

An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”

Defense officials insisted that Mr. Panetta’s words were not hyperbole, and that he was responding to a recent wave of cyberattacks on large American financial institutions. He also cited an attack in August on the state oil company Saudi Aramco, which infected and made useless more than 30,000 computers.

In 2013, outgoing DHS Secretary Janet Napolitano warned of a serious cyberattack.

And in 2014, the 9/11 Commission said that a cyberattack on US: “Is an imminent threat ...”

“Terrorists are plotting a cyberattack against the United States that is tantamount to 9/11, and the American public is acutely uninformed about the grave danger …”

The Pew Institute also issued this report in 2014 on how cyberattacks are likely to increase going forward. In a survey to a wide-ranging audience including 1642 respondents, 61 percent of respondents said "yes" to this question:

By 2025, will a major cyberattack have caused widespread harm to a nation’s security and capacity to defend itself and its people? (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)

How Are State and Local Governments Preparing for Major Cyber Incidents?

Many state and local governments have already issued or are working on cyberdisruption (or major cyberincident) response plans as part of their emergency management efforts. Other governments have added cyberannexes to other emergency management plans. The White House and congressional leaders have also signaled new efforts address the growing cyber threats to the nation.

A few state and local cyber-response examples include:

Michigan Cyber Disruption Response Strategy

New England Cyber Disruption Planning (NERCPI)

Houston’s portal on cyber disruption planning

Houston also posted this related webinar PDF on cyberdisruption response planning.

Texas Fort Bend County Cyber Disruption Planning

Rhode Island Cyber Disruption Plan

Idaho is working on cyberattack procedures for their emergency operation plan. The Idaho Homeland Security Director Gen. Brad Richy outlined the serious cyberthreat in this article.  

Final Thoughts

There are plenty of lower-severity cyberincidents and data breaches that occur on a regular basis. This blog shows a gallery of road signs that have been hacked.

While these types of cyberincidents may seem trivial to some, they are a sign of worse things to come.

In addition, speaking as a former Michigan CSO and government department emergency management lead, it is not easy to know how serious any given incident will become when it begins. Oftentimes, cyberattacks or power outages or computer system crashes seem the same in the earliest minutes of an incident. It is hard to know what caused the problem, but the processes and procedures must be in place to respond – whether human error or terrorist cyberattack.

It is clear that cyber incidents have become part of the 'new normal' for emergency management organizations in 2015.

Is your government prepared? Have you tested your plan in a tabletop exercise?  

How will your business respond during the next cyberdisruption?  

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso