A Roadmap for Improving Cyber Preparedness

Cybersecurity has become one of the nation’s most serious challenges today. As a top priority of the White House, many initiatives are underway to ensure that the nation’s critical infrastructure and networks are protected. Nonetheless, the role of emergency managers in preventing, mitigating, and responding to a major cyber incident with physical consequences remains unclear. In fact, according to the U.S. Department of Homeland Security’s 2013 National Preparedness Report, cybersecurity is still one of the lowest-rated capabilities in the State Preparedness Report – and many states have reported that they do not expect to focus on building additional capacity in this field. This is despite the fact that findings from the Federal Emergency Management Agency’s National Level Exercise (NLE) 2012 Quick Look Report pinpointed many areas for improvement specific to a cyber scenario that could adversely affect all levels of government.

Although cybersecurity is traditionally the responsibility of the nation’s information security and technology communities, combating cyber attacks that could cause physical consequences is also a shared responsibility that involves emergency managers at all levels of government, law enforcement agencies, the private sector, and other “stakeholders.” Moreover, according to participants in a recent Cyber Preparedness Workshop – conducted by CNA’s Safety and Security Division on 25 April 2013 – many state and local jurisdictions also lack the mechanisms needed for engaging this diverse community in a coordinated effort. CNA defines cyber preparedness in general as the process of ensuring that an agency, organization, or jurisdiction has developed, tested, and validated its own capabilities to protect against, prevent, mitigate, respond to, and recover from a significant cyber incident.

Because emergency managers play an important role in cyber preparedness, CNA developed a cyber preparedness continuum to provide a roadmap for emergency managers to evaluate and improve their jurisdictions’ or organizations’ levels of cyber preparedness before, rather than after, an actual cyber incident precipitates cascading physical effects. Similar continuums have been used successfully in other programs, such as interoperable communications, to strengthen capability and capacity.

The cyber preparedness continuum used in the workshop (see figure below) consists primarily of the four elements indicated in dark blue: Coordination; Information Sharing; Emergency Planning and Readiness; and Continuous Improvement. The actions described in the light blue boxes indicate increasing levels of preparedness – from left to right across the diagram.

As was strongly suggested by the Cyber Preparedness Workshop discussion – combined with the findings included in the NLE 2012 “Quick Look Report” – the key challenges that emergency managers now face in this field are thoseentified in each of the following four elements:

Coordination

• At present, there are few incentives for the private sector to coordinate more closely with the emergency management community in cyber preparedness activities. Although developed primarily to promote information sharing as it relates to cyber resiliency, the Western Cyber Exchange – a consortium of businesses, information-technology security professionals, as well as federal, state, and local government representatives – provides one example of how a consortium could help to promote both coordination and information sharing between the private sector, emergency managers, and the other stakeholders involved.
• Although emergency managers need a better understanding of how they integrate into the national response structure both during and following a significant cyber incident, NLE 2012 confirmed the obvious fact that the respective roles of two key elements of the response structure – the U.S. Department of Homeland Security’s National Cybersecurity and Communication Integration Center (NCCIC), and the U.S. Computer Emergency Readiness Team (US-CERT) – remain unclear.

Information Sharing

• The notification process for cyber incidents is not well understood by many emergency managers – uncertainties include what types of information should be shared, what agencies should share this information, and what the thresholds for sharing information should be. NLE 2012 revealed that the draft National Cyber Incident Response Plan and the National Cyber Risk Alert Level did not provide sufficient information on: (a) the actions various participants need to take; or (b) the various types of information they need to share.
• Emergency managers lack awareness of how cyber-related data is analyzed toentify – and, therefore, effectively respond to – ongoing cyber attacks across the nation. This finding was confirmed in NLE 2012 when the NCCIC staff had difficulty analyzing and connecting multiple incidents and then producing useful situational awareness products.

Emergency Planning and Readiness

• A critical goal of planning and readiness is the development of a better understanding of the roles played by local networks and systems, the potential impact of a cyber incident on critical infrastructure, and the various interdependencies across and connecting all sectors. Nonetheless, NLE 2012 showed that there is still a lack of consensus regarding the level of cyber threat and vulnerability information that should be shared between the public and private sectors.
• NLE 2012 also demonstrated several planning challenges likely to occur during the response to a significant cyber incident – specifically including: (a) several difficulties in developing viable Incident Action Plans; and (b) a lack of clarity on when and how federal assistance  (authorized by the 1988 Stafford Act) could be used.

Continuous Improvement

• The designing of realistic exercise scenarios is a continuing challenge. The cyber exercises carried out to date, in fact, have not always realistically simulated the probable impact of cyber attacks on critical infrastructure, such as power grids.
• Cyber exercise scenarios often do not include cascading physical effects because of the challenges described earlier. Largely for that reason, most current exercises are not as effective as they should be in helping emergency managers understand not only their own local systems and vulnerabilities but also the numerous complexities involved at other levels in a cyber incident.

Identifying current gaps and challenges is a significant first step toward strengthening the United States against the ever-increasing threat posed by cyber attacks and the physical effects that follow. However, analyzing and dissecting these discussions and translating them into actionable cyber preparedness activities requires a great deal of resolve and determination from a diverse set of communities as well as effective leadership on the part of emergency managers. In summary, it is only through deliberate, cyber-focused planning activities, followed by continuous assessments and improvements, that the nation as a whole can better protect its critical infrastructure systems – and, therefore, the overall safety of the American people.