Preparing for the Cyberthreat
By Beverly Bell, Senior Policy Analyst, National Emergency Management Association
A significant cyberattack in this country is inevitable, so states should take steps now to mitigate, manage and recover from it. Otherwise, officials will be caught unprepared while still being expected to successfully handle both the attack and its consequences, which could include everything from grounded air transportation to a compromised electrical grid, from faulty water treatment plants to unworkable ATMs.
That was the message from state and federal officials who discussed the nation’s cyberthreat during the National Emergency Management Association’s Emergency Management Policy & Leadership Forum last month in Seattle. NEMA is a CSG affiliate.
“Cyber intrusion could be our next 9/11,” Jerome Hatfield, deputy superintendent for homeland security in New Jersey, told the group.
The panel agreed that the possibility of such an event becomes more likely every day because of the connectivity that exists between all the nation’s critical systems and the integration of the Internet into daily life.
Bobbie Stempfley, deputy assistant secretary of the U.S. Department of Homeland Security Office of Cybersecurity and Communications, said the biggest cyberthreat isn’t email from overseas trying to get a bank account or Social Security number. The real danger is all the private information the public willingly discloses and confirms online every day.
“Attacks have become very sophisticated,” she said. As a result, “consequences are much more significant.”
“Cybersecurity is a ‘weakest link’ problem,” Chris Ipsen told the audience. Ipsen is chief information security officer for the Nevada Department of Administration. Whether it’s a teenage hacker or an international terrorist, potential attackers exploit a cyber weakness during times of national crisis. For example, attempts to hack into the state of Nevada network increased 100 percent around Sept. 11, 2001.
This requires all state governments to be much more vigilant and proactive. He suggested that states exercise “basic cyber hygiene,” limiting privileged access only to those individuals who absolutely require it.
Ipsen also recommended states incorporate the abilities of emergency management in addressing cyber challenges. In the event of a widespread attack, he said, “We can’t be successful without emergency management.”
Examples of emergency management skills that could help with cyber challenges include planning, coordinating a response, bringing resources together, collaborating with other disciplines, identifying capabilities that could be leveraged, communicating and messaging about an event, and coordinating comprehensive engagement with counties, cities and the private sector.
“Emergency managers are really social scientists,” Hatfield said. “Everything we do is built on relationships,” a skill that would be invaluable in planning for and recovery from a cyberattack.
Panelists suggested states revise antiquated laws, some of which are more than 60 years old.
“We are dealing with laws that weren’t designed with cyberattacks in mind,” said Brad Kieserman, chief counsel for the Federal Emergency Management Agency. “It’s a matter of time before a significant cyberattack, so we should be working on laws now.”
The focus of these updates should be on the consequences of a cyberattack, panelists said. “The means and motive (of an attack) really aren’t the issues,” Kieserman said.
Stempfley agreed. “We get too concerned with the ‘who did it?’”
Instead, Kieserman asked, “What will you need to put your data, your control systems, back online? What will you need repaired, replaced, restored?”
States also should think about what kind of authorities should be in place to facilitate long-term recovery efforts, which could be even more complex, particularly if the virtual attack coincided with a physical one.
That’s the fear of Capt. Tom Sands, Michigan deputy state director of homeland security and emergency management. To better prepare its local jurisdictions, Michigan has developed Cyber Range, a virtual environment that allows cities to experience a cyberattack in a controlled setting and test their various security solutions.
“Interdependencies really pop out in a cyber exercise,” Sands said.
Hatfield is confident that regardless of the obstacles, the cyber risk can be managed.
“We have been faced with threats in the past—radiological, biological—that demanded a higher capability and we’ve met them,” he said.
In the end, the cyber challenge is no different if states fully acknowledge the issue and adopt the new tactics required to meet the problem head-on.