By Christopher Cruz, Cybersecurity Program Manager, Commonwealth of Virginia, IPSA Member
There is a commonly held belief among cybersecurity experts that cyber-attacks are inevitable. "Things go wrong. You can't explain it, you can't predict it." These words weren't from a seasoned cybersecurity expert though, or a veteran network administrator. Instead, this quote originates from the hit 1997 movie “Twister” starring Bill Paxton and Helen Hunt.
This sentiment is important for two reasons. First, cyber incidents are increasing in both severity and sophistication. They are also occurring with a greater emphasis on public and private sector entities that represent community lifelines or national critical functions, both of which are core to public health and safety. Second, there is immense opportunity to leverage many of the core concepts from emergency management to make cyber more accessible for emergency managers and public safety personnel and enable delivery of a Whole Community approach to cybersecurity.
Cyber as a hazard
While there are several emergency scenarios available for comparison, the best parallels are drawn when thinking about cyber as a hazard much the way one would a tornado.
Just like a tornado, cyber incidents are hard to predict and can arise suddenly with little or no warning. They can have significant impacts that are extremely localized or more widespread. And, though most tornados occur between March and August, they can strike year-round if the conditions allow.
This distinction of cyber as a hazard can help circumvent a common belief that cybersecurity is not a public safety or emergency management problem. Nearly all modern agencies have adopted the all-hazards concept for public safety practices, and cyber threats can easily fit into this approach. Similarly, most emergency managers are able to engage in response and recovery work for any number of hazards that they aren't necessarily experts on. This means cyber incidents can still be supported using the same all-hazards management efforts that work for fires, floods, and even tornados.
Many emergency management agencies utilize the five phases, or missions, of emergency management. These are prevention, mitigation, preparedness, response and recovery.
Comparatively, one of the most used cybersecurity concepts is the Cybersecurity Framework (CSF) established by the National Institute for Standards and Technology (NIST). The NIST CSF utilizes 5 core functions, these are categorized as identify, protect, detect, respond, and recover. For both the emergency management cycle and the NIST CSF, the 5 parts represent the same concept, which is delivering the core components of a holistic and successful program. Both operate not just as pillars, but as cyclical processes with continuous feedback and development.
When laid side-by-side, it becomes clear that cybersecurity and emergency management are following the same key steps, essentially dancing to the same song. Recognition of this alignment makes it easy to establish a common operating picture that enhances incident management for hybrid events, those incidents that have both a cyber component and a physical downstream impact. The most recent string of cyber incidents in the U.S. media included a number of these hybrid events, including Colonial Pipeline, Massachusetts Steamship Authority and JBS. Just as a tornado can be a short and devastating event requiring long term recovery efforts, so should one expect to see more cyber incidents that create longer lasting cascading failures in the physical world.
Whole Community approach
For both cybersecurity and public safety, preparedness is critical. The Whole Community approach was developed by FEMA to address the increasing scale and severity of disasters, and the systemic threats they create. Cyber incidents are equally growing in scale and sophistication, with greater threats and vulnerabilities being discovered year after year.
The Whole Community approach recognizes that emergencies will continue to scale beyond the capabilities of a government-centric program. In response, emergency management must deliver a community-driven effort that includes shared understanding, greater empowerment, social infrastructure, mutual assistance, collective preparedness, and enhanced resilience where responsibility is distributed across residents, communities, emergency personnel, organizational leaders and government officials.
Cybersecurity experts have pushed for more awareness and ownership at the community level, but no significant frameworks have been successful. By integrating cyber into public safety and emergency management, the ability to utilize years of local and regional community engagement and mutual assistance becomes widely available in establishing and enhancing cyber incident response.
The most memorable scene from the movie “Twister” is certainly that of the cow floating by in the funnel cloud. If you see the cow, it's likely too late to engage in planning and preparedness activities. Likewise, it may be too late to build a relationship between cybersecurity and emergency management entities when in the middle of a complex hybrid incident. Planning processes that incorporate cybersecurity considerations from the onset will enable better response efforts when a cyber incident does finally occur.
Please, don't wait for the cow.
About the Author
Christopher Cruz is the Cybersecurity Program Manager for the Virginia Department of Emergency Management, assigned to the Secretary's Office of Public Safety and Homeland Security in the Commonwealth of Virginia. In this role, Christopher is responsible for the coordination, development, and integration of cybersecurity capabilities across the public safety and homeland security landscape. Previously, Christopher worked for several Fortune 500 companies leading a variety of security projects focused on insider threat, incident response, critical data protection, and IT risk management practices.