On July 11, 2019, the National Governors Association released a new publication on the topic of cyber disruption response plans across America.
The report examines state cyber disruption response plans, providing recommendations for state officials who want to create or review their own response plans.
“With the integration of information technology into critical services, state and territorial officials must now expand their focus to consider the consequences of cyber attacks that have physical impacts and threaten public safety,” reads the report. The need for a coordinated capability to respond to emerging cyber threats has become even more vital as different types of cyber attacks have caused major critical infrastructure disruptions.
NGA differentiates cyber disruption response plans from cyber incident response plans. Cyber incident response plans deal with “cyberattacks that compromise the confidentiality, integrity or availability” of the data being collected, transmitted or stored by state computer systems. These plans “address potential incidents that affect state IT infrastructure, their development and execution generally fall under the purview of the state CIO.”
On the other hand, cyber disruption response plans are developed to prepare for, respond to and recover from a significant cyber incident that “pose demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of [the public].” These plans differ from incident response plans because they require multiple agencies to coordinate activities and implement traditional emergency management and homeland security operations.
The report highlights 15 states with publicly available cyber disruption response plans, and it examines how they compare against the 14 core capabilities in the Department of Homeland (DHS) Security’s National Cyber Incident Response Plan (NCIRP), which establishes protocols to guide any federal and state response to a “significant cyber incident.” These “plans detail the agencies that must respond to an incident, their roles and responsibilities, and how they will coordinate resources.”
Among the 15 states, there were seven types of threat schema, and plans varied across states in their arrangement of emergency operations plans or emergency support functions. The report said, however, that “every plan reviewed emphasizes a whole-of-state approach, recognizing the all-encompassing impact a significant incident can have.”
Given the various practices and plans states have in place, NGA listed recommendations for other states to adopt in forming their own cyber disruption response plans. These suggest states to:
- Develop a cyber disruption response strategy prior to developing a formal plan to detail the stakeholders involved in creating a response plan, the information needed to inform a plan and how frequently the plan will be exercised or updated.
- Adopt the DHS National Cybersecurity and Communications Integration Center scoring system, catalog risk assessments and attach specific protocols to each threat level.
- Identify the state’s senior cybersecurity official and create interagency leadership.
- Include steady-state roles and responsibilities as well as review the NCIRP core capabilities.
- Integrate National Guard resources into the response plan.
- Establish operational procedures for cyber response teams.
- Create a volunteer-based cybersecurity force “akin to a volunteer fire department.”
Commenting on the report, William Hugh Murray of SANS Institute said that “One of the lessons that we should take away from ‘ransomware’ attacks is that traditional ‘backup and recovery’ plans do not provide the essential resilience that is required in today’s hostile environment and high dependence. ‘Resilience’ must be our new objective.”
The report concludes with a statement that highlights the importance of having cyber disruption response plans in place:
Strengthening state preparation for and response to a significant cyber incident is critical to achieving national resiliency. Significant cyber incidents could affect [critical infrastructure] CI across state lines and stretch the federal government’s ability to respond. In such a situation, states will need plans in place to ensure they are organized and prepared to respond without federal assistance.
That is very true indeed. Back in 2015, Dan Lohrmann had argued about the importance of developing state disruption plans as part of the in-place emergency management efforts. Recent major cyber incidents, like ransomware attacks in Baltimore and many Florida cities, have caused serious government disruptions and have propelled cybersecurity to the top of the agenda for state and local governments all over the country.
The topic of cyber disruption plans was an important discussion in Shreveport, La., at the National Summit on State Cybersecurity in May, and it is going to be one of the top agenda items in the forthcoming governors conference in Salt Lake City on July 24-26.
“A plan is not a document which one takes out and reads while sitting in the ashes. It is a capability, the ability to do something in its presence that one cannot do in its absence.” –Robert H. Courtney, Jr.