Agencies’ IT worries used to just be that a crash might offline a system for a few hours. But the cyber landscape has evolved, and today’s agencies face fears of ransomware downing critical business systems for weeks and then only being able to restore from backups that lack the most recent data, said Seattle CISO and Director of Security and Infrastructure Greg Smith. Seattle now ranks cyber attacks and disruption as fifth on its list of the top 18 hazards posing the greatest risk to the city.
But governments aren’t starting from scratch when it comes to preparing to reduce and recover from cyber disasters. Cybersecurity can get support from emergency management departments and borrow lessons learned from that field’s longer history. Some governments are actively bringing the two functions into collaboration and communication, and in some cases hiring professionals with emergency management backgrounds to serve in cybersecurity and cyber response roles. Russ Strickland, vice president of the National Emergency Management Association (NEMA) and director of Maryland Emergency Management, estimates that at least half of the nations’ EM entities are also involved with cyber hazards.
But while cyber and traditional emergency management teams can work together and learn from each other, not every EM approach translates neatly to digital crises. Cybersecurity and EM professionals are identifying where cyber emergency response requires a unique touch and how the two fields can best support each other.
In some ways, cyber is just another type of disaster. Emergency management units embracing an “all-hazards” approach may include cyber annexes in their statewide or citywide response plans, just like they would include flood or civil disturbance annexes.
New York City CISO and Cyber Command leader Kelly Moan said partnership between her cybersecurity entity and the city’s emergency management agency is important to keeping the city resilient. EM and cyber professionals need similar soft skills and both must “maintain composure in an emerging and fast-paced environment in the middle of an incident,” as well as develop and follow playbooks, she said.
The overall life cycle of cyber and natural disaster handling is also similar, with both involving preparedness, mitigation, response and recovery phases, said Jonathan King, statewide incident response coordinator at Texas’ Department of Information Resources (DIR). King came to the IT agency after more than nine years with the state Division of Emergency Management.
Both kinds of events can sometimes cause similar incidents. For example, it might be unclear at first whether flooding stemmed from physical or cyber causes, said Federal Emergency Management Agency (FEMA) CISO Greg Edwards. A dam’s controls might fail due to mechanical issues or malware disrupting the control systems, and responders will need to investigate to identify the root of the issue.
IT teams reacting to cyber incidents typically can contain the threat and identify the scope of the damage without needing to engage emergency management, said Seattle’s Smith. And cyber insurers or contracted support can also help, Talmadge said. As a result, most ransomware and cyber incidents don’t need EM involvement.
It’s when the impact goes beyond that capability or affects critical public services that EM should jump in to help, Talmadge said. The Office of Emergency Management can also be helpful in supporting response to larger events, where recovery is a multiday affair, said Smith. EM has expertise handling situations that require 24/7 staffing and managing handoffs between personnel shift changes.
Some EM practices also weave well into cyber incident response plans, including those around prioritizing systems to restore, advising executive leadership and communicating crisis information to the public, Smith said. Emergency managers can directly help with some of this, including updating the public about the cyber incident and steps to take — such as other ways to get help if 911 calls are disrupted, Talmadge said.
When the two fields come together on a cyber crisis, IT is the subject matter expert and should take the lead and handle the technical aspects like containing threat actors and rebuilding systems. Meanwhile, EM is used to coordinate resources and handle logistics as well as consider incidents’ potential broader, cross-sector impacts. Traditional emergency managers need to evaluate possible cascading effects that could impact other critical services like water treatment plants, said NEMA and Maryland’s Strickland.
EM can rally more resources, including activating cyber specialists at the National Guard and awarding emergency contracts, Talmadge said. Plus, it can bring equipment like computers to replace those that have been damaged and mobile Wi-Fi systems to temporarily restore Internet, Strickland said.
King said Texas’ IT department looks to the State Operations Center to help share information and EM field staff to support local communities. For example, EM field staff were important to coordinating the state’s response to an August 2019 ransomware incident that impacted 23 local organizations.
Making these kinds of collaborations work may require teams to plan and train together, so everyone knows each other’s needs.
King recommended a whole-of-organization approach in which cyber incident response plans are made with input from EM, law enforcement, legal, finance and HR teams. Engaging EM in cyber tabletop exercises — and having police cyber crime units listen in, too — can ensure partners understand how a cyber incident might play out and helps IT be aware of the kinds of information that other parties need at different points of a hypothetical scenario, Smith said.
NYC’s Moan said cross-training EM and IT will only become more important going forward. The city has been tabletopping scenarios that blend both cybersecurity and emergency management elements, rather than solely one or the other.
Cross-training also helps EM understand the nuances of cyber — including what IT looks for to indicate whether the incident could have catastrophic, cascading effects — and helps IT see what EM has to offer, Talmadge said.
“I don’t think emergency managers have done the best job possible to really reach out to the information technology community. … Most folks look at emergency managers, and they see hurricanes, they see snowstorms. … And they think emergency managers really can’t offer anything to the information technology sector,” Talmadge said. “That’s incorrect.”
IT teams can be reluctant to involve EM, out of misplaced fear that EM will try to take over, Strickland said.
“At the beginning, the relationships have probably been a little rough to say the least,” Strickland said. “They think if emergency management comes in, we’re about to take over and tell them what to do … but we’re not. We’re not a military, and they’re not working for us. … That’s been the greatest challenge for the IT folks to understand is that we’re there to help.”
For one, cyber incidents tend to be deliberate attacks launched by criminals or adversaries and targeted at specific IT systems — very different from a hurricane’s broad, indiscriminate impact, Talmadge said. That also necessitates limiting information sharing to avoid providing adversaries with useful insights.
Plus, while residents can live outside hurricane or flooding zones, no one is outside a cyber incident zone.
“The first thing that makes cyber unique is the risk,” King said. “I live in the Austin area where there’s a risk of flooding, a risk of tornado, but there’s not a risk of hurricane. But every organization has some level of cyber risk.”
Cyber events can be unnerving for the general public, from whose perspective they appear to strike out of nowhere. Residents can see strong winds warning them of an impending hurricane and watch the disaster unfold, but cyber incidents often come as a surprise and it may not be initially clear who caused the incident and why or how extensive the attack’s scope is, said Talmadge. That makes for a different psychological impact.
The cyber threat landscape also changes particularly rapidly. Potential software security weaknesses emerge and evolve faster than those impacting hardware security, said FEMA CISO Edwards. Each new patch or added feature changes software in ways that could introduce new, exploitable vulnerabilities.
Seattle’s Smith also noted that while snowstorms, for example, may develop in well-known ways, cyber is more variable. The end goal of most cyber attacks is the same — encrypt or disrupt victims’ systems and/or steal data — but the specific attack methods and speeds at which the incidents unfold can vary significantly and new adversary techniques are always emerging. That makes it impossible to tabletop for every kind of incident. Instead, teams must practice the fundamentals of cyber emergency response, and be flexible and adaptive during actual incidents.
EM teams are used to working in the public eye. Clearing debris after a storm isn’t necessarily a sensitive activity, but working with the confidential IT systems and private data that cyber attackers tend to target is, Talmadge said. That can make victims reluctant to call for help. To pave the way for providing support in times of need, emergency managers need to enter legal conversations early and establish NDAs and MOUs before something happens. Otherwise, they’ll have to sort that out on the fly, leading to slower response.
Plus, emergency managers need to realize that — unlike with flooding or hurricane insurance — cyber insurance may require policyholders to follow certain mandated response plans, Talmadge said.
Smith and his peer CISOs also have been mulling how much of FEMA’s Incident Command System (ICS) can be applied to cyber response. The ICS — a system intended to guide management of emergency scenarios — provides a “ready-made structure” and processes that are already well-understood, which spares IT responders from reinventing the wheel, he said. But ICS also assumes a slower developing event, and isn’t always relevant for early stages of a cyber response, which tend to involve highly technical work. Finding the right balance of how much to borrow from ICS and other traditional models is an ongoing conversation.
Some, like Smith, say their IT departments have enough personnel to manage several days of around-the-clock emergency staffing. But not every jurisdiction can say the same, and some cyber responses and recovery can be especially prolonged. For example, a major cyber event like SolarWinds can see response continue six months or so beyond the initial incident, making for a taxing experience for cyber responders, according to Bob Costello, CIO of the Cybersecurity and Infrastructure Security Agency.
“One of the things that you have to manage is exhaustion of your people who are responding, so they can take care of others,” Costello said during a July 2023 FedInsider webinar. “Often, we don’t do that well in the IT world. We have an event and it’s the same people that are maintaining those systems day to day, responding to the event. … FEMA has an incredible model where they can surge [their capacity]. We’re building those capacities into the cyber area, and it’s getting better.”
This story appears in the October/November issue of Government Technology magazine. Click here to view the full digital edition online.
