Governments around the globe are rushing to prepare for computer-generated threats that can cause real-world calamity to our way of life. And while opinions vary on the likelihood of human error causing a major crisis or hostile cyberthreats causing severe societal disruptions, few argue against being prepared. So how are leading governments getting ready for inevitable cyber emergencies?
Computer failures cause a major train crash leading to nine deaths on a Washington D.C. Metro line.
The FBI reports that a Chinese cyberattack invaded U.S. control systems and gained the cyberkeys necessary for access to systems that regulate the flow of natural gas.
Human error causes a computer glitch that shuts down New York trains for almost two hours.
Air Asia probe uncovers possible computer glitch that may have contributed to the deadly December 28, 2014 crash.
Distributed denial of service (DDoS) attacks shuts down leading banks.
Flights are disrupted affecting tens of thousands of travelers throughout the United Kingdom (UK) after an “unprecedented system failure” grounded flights.
There are many different names for it – a computer glitch, a denial of service attack, a breach of security or a cyber-disruption. But whether the cause is poorly written computer code, inadvertent operator error, intentional insider threats or an external cyberattacks from enemies of the state, one simple question must be answered: Is your government prepared to respond?
There is no doubt that the threat of cyber disruption is growing across the globe. According to this report by British Telecom in 2014, disruptive cyberattacks are a growing concern for UK companies, with one in five organizations having their systems taken down for an entire working day due to denial of service attacks alone, which is just one of many computer-related threats.
(Note this quote uses UK spelling from the original report):
The research reveals that 41 per cent of organisations globally were hit by Distributed Denial of Service (DDoS) attacks over the past year, with more than three quarters of those (78 per cent) targeted twice or more in the year.
DDoS attacks are seen as a key concern by more than a third of UK organisations (36 per cent). Globally the worry is even greater, with almost twice as many organisations naming the attacks a key concern (58 per cent).
Cyber Incident Definitions Vary
What is a cyber emergency?
Unlike emergencies from natural causes like ice storms, hurricanes or tornadoes, a cyberdisruption can be difficult to predict and even harder to know when the attack has truly ended.
Nevertheless, governments around the world are scrambling to deal with this new 21st-century reality.
The Federal Emergency Management Agency (FEMA) has a Cyber Incident Annex which lays out many definitions and “Policies, organization, actions and responsibilities for a coordinated, multidisciplinary, broad-based approach to prepare for, respond to, and recover from cyber-related Incidents of National Significance impacting critical national processes and the national economy ...”
FEMA cyberincident of national significance definition is as follows: “A cyber-related Incident of National Significance may take many forms: an organized cyberattack, an uncontrolled exploit such as a virus or worm, a natural disaster with significant cyberconsequences, or other incidents capable of causing extensive damage to critical infrastructure or key assets.…”
The National Infrastructure Protection Plan (NIPP), which was updated in 2013, outlines “How government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes.”
The NIPP also lays out sector-specific definitions and actions to protect critical infrastructure from all types of hazards – including cyberthreats.
And yet, the overall coordination of roles and responsibilities for responding to various types of cyberemergencies remains a serious challenge for governments around the world. The very fact that over 80 percent of critical infrastructure is owned and operated by the private sector is also a complicating factor, requiring new types of coordination, information sharing and emergency management exercises.
The steps being taken by several states are highlighted at the end of this blog. In addition, the National Association of State Chief Information Officers (NASCIO) is currently working on a new cyberincident response planning template for states to follow. The U.S. Department of Justice grant-funded project should be completed later this year.
Are Cyberattacks Increasing?
Krebs on Security recently highlighted a report from Arbor Networks that described the increase in cyberattacks last year. Here's an excerpt:
Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year.
Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.
Even more alarming, national security leaders have been saying for years that these cyberattacks are just a precursor to worse incidents to come.
Back in 2012, former Defense Secretary Leon Panetta warned of a “Dire threat of a cyberattack on the U.S.”
An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Defense officials insisted that Mr. Panetta’s words were not hyperbole, and that he was responding to a recent wave of cyberattacks on large American financial institutions. He also cited an attack in August on the state oil company Saudi Aramco, which infected and made useless more than 30,000 computers.
In 2013, outgoing DHS Secretary Janet Napolitano warned of a serious cyberattack.
And in 2014, the 9/11 Commission said that a cyberattack on US: “Is an imminent threat ...”
“Terrorists are plotting a cyberattack against the United States that is tantamount to 9/11, and the American public is acutely uninformed about the grave danger …”
The Pew Institute also issued this report in 2014 on how cyberattacks are likely to increase going forward. In a survey to a wide-ranging audience including 1642 respondents, 61 percent of respondents said "yes" to this question:
By 2025, will a major cyberattack have caused widespread harm to a nation’s security and capacity to defend itself and its people? (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)
How Are State and Local Governments Preparing for Major Cyber Incidents?
Many state and local governments have already issued or are working on cyberdisruption (or major cyberincident) response plans as part of their emergency management efforts. Other governments have added cyberannexes to other emergency management plans. The White House and congressional leaders have also signaled new efforts address the growing cyber threats to the nation.
A few state and local cyber-response examples include:
Houston also posted this related webinar PDF on cyberdisruption response planning.
While these types of cyberincidents may seem trivial to some, they are a sign of worse things to come.
In addition, speaking as a former Michigan CSO and government department emergency management lead, it is not easy to know how serious any given incident will become when it begins. Oftentimes, cyberattacks or power outages or computer system crashes seem the same in the earliest minutes of an incident. It is hard to know what caused the problem, but the processes and procedures must be in place to respond – whether human error or terrorist cyberattack.
It is clear that cyber incidents have become part of the 'new normal' for emergency management organizations in 2015.
Is your government prepared? Have you tested your plan in a tabletop exercise?
How will your business respond during the next cyberdisruption?