The explosive growth in technologies related to the Internet of Things has enabled public safety and emergency management officials to leverage real time information for decisions, enabled earlier and more rapid alert and warnings to the public, allowed social and behavioral scientists to explore the intersections of demography and community resilience, and much more.
“Emergency management is all about: creating partnerships, tools, plans, and procedures that link functions, leverage capabilities and authorities, and create better outcomes during crisis”
These advances and the technologies driving them also create complexity, and any good emergency manager will tell you, increasing complexity means increasing vulnerability. The CIOs and CISOs implementing and protecting these systems shouldn’t be doing so alone. As public safety and emergency management officials, we play a large part in supporting our CIOs and CISOs and have vested interest in their success. As advancements continue, there are key actions we can take to ensure strong partnerships.
1. Identify your cyber security vulnerabilities and develop a plan to mitigate impacts to operations and have a plan to regularly reassess for vulnerabilities and changes in your assumptions. Keeping up with the constant advancement of technologies and the ever-changing threat landscape is daunting. You don’t have to go at it alone, and you surely don’t have to create programs on your own. Earlier this year the Department of Homeland Security’s Cyber security and Infrastructure Security Agency (CISA) released a comprehensive catalog of services designed to help you know your risks, know your vulnerabilities, know your capabilities, and develop a plan of action. The interactive tool is available in PDF format and includes offerings tailored for academia, industry and the private sector, non-profits, federal, state, local, territorial and tribal governments, and even the general public. The index includes hundreds of free services, tools and tool kits designed to get you started. Knowing the vulnerabilities allows you to create actionable contingency plans and ensure continuity of vital services should there ever be a disruption. Even if the plan of action is to move to pen and paper during a ransom ware attack, having the pre-plan allows you to stay focused on the fight and not distracted by what could have been a preventable, secondary emergency with cascading impacts.
2. Include a cyber-component with all trainings and exercises, no matter how big or how small, and plan for the “cyber incident within the incident”.
The Internet of Things continues to advance the interconnectedness of the world, driving these connections to a much more granular level. More of our devices, and as a result more of our daily processes and procedures, rely on connected technologies. As the thread of cyber security now weaves through most aspects of our lives, there are more points of failure and more vulnerability to consider as we plan, prepare and train for crises. The increasing complexity of systems also means that the potential size and scope of failure grows with the increased prevalence. Keep this in mind during your trainings and exercises, because it happens today in the real world during a response to crisis. For example, during the COVID-19 pandemic we have seen hospitals and health systems become the target of advanced phishing attempts (https://us-cert.cisa.gov/ncas/alerts/aa20-099a).Bad actors are counting on you to be distracted during a crisis and exploit your vulnerabilities. Practicing for the “cyber incident within an incident” helps prepare you for the unexpected. Plus, it’s better to make mistakes like downloading fake malware from a phishing email in a no consequence exercise environment than in the middle of a crisis.
3. Manage a cyber-security incident with the same processes, support, and considerations you would a physical critical infrastructure incident.
I’m not just talking about impacts to the servers, cables, power supplies, and other equipment that make up your physical network infrastructure, I’m talking about the information itself- all the zeros and ones that flow across the system. Just because you can’t “see” it doesn’t mean it isn’t important. Like electricity and water, that information, that data, is a core utility, and emergency managers should treat it as such. I often say that coordination, communication, and command and control are the three-legged stool that enables successful crisis management. Without any one of those three you can still succeed, but it’s a delicate balancing act. Without two of them you’re destined to fail. Data- information- and its movement is at the heart of each of those legs of the stool, so keeping it intact and operating is critical to success. Furthermore, many cyber incidents quickly cascade into impacting physical infrastructure. Take for instance the case of recent ransom ware attacks in cities like New Orleans and Baltimore. In both cases, thousands of hardware devices, servers, computers, tablets, and more, all had to be reimaged or replaced. Managing the incident from the beginning according to your Emergency Operations Plan in an manner consistent with the principals outlined in FEMA’s Comprehensive Preparedness Guide (CPG) 101 ensures, among other things, unity of effort, appropriate resource tracking and allocation, and an organized approach to coordinating the chaos.
In the end, there will always be much more to do, but these three core tenants should serve as a solid foundation to support the valuable work of CIOs and CISOs. If anything, it will also allow you to better understand the ever evolving and complex situations our partners often face. After all, that’s what emergency management is all about: creating partnerships, tools, plans, and procedures that link functions, leverage capabilities and authorities, and create better outcomes during crisis.