Cyber incident responders lack a shared playbook

Three existing systems fail to identify the roles, structures or processes needed for cyber incident response, writes Kevin Coleman of Technolytics Institute.

More and more people have voiced their worries about the ever-increasing threat of a cyberattack, including an electromagnetic pulse that targets our critical infrastructure. A Government Accountability Office report summarizes the threat: “Pervasive and sustained computer-based attacks pose a potentially devastating impact to systems and operations and the critical infrastructures they support.” Meanwhile, GAO is not the only one raising concerns about the vulnerability of the tens of thousands of systems that form the U.S. critical infrastructure.

Recent analysis of such threats led to a review of the emergency response to and management of a successful cyberattack on our critical infrastructure at the state and county level. Such an incident would without a doubt activate the office of emergency services at the state and county levels. Support for a response to a cyber incident in the United States would likely involve federal resources and the military. Given the complexity of such an incident, the offices of emergency services would rely on the National Incident Management System and Incident Command System. NIMS provides a template that is used nationwide to permit all government, private-sector and nongovernmental organizations to work together during emergency incidents. ICS is one of three standardized organizational models established by NIMS. ICS defines the operating characteristics, interactive management components, and structure of incident management and emergency response organizations that must work together throughout an incident. NIMS/ICS were designed as all-hazard tools, but that was before the threat of cyberattacks and cyber terrorism entered the equation.

Those tools form the basis for managing an incident and setting up a coalition that would be responsible for bringing an incident to a positive ending. After a decade of being a National Fire Protection Association-certified fire service instructor, I am familiar with these tools. I have worked with them dozens of times. Using a hybrid model based on the cyber incidents with which I have been involved, I began to see problems with NIMS/ICS as cyber incident management tools. I then looked at the military’s Incident Command System Functional Appendix-JFO’s Incident Action Plan (DOD 3150.8M). Page 4 of that plan deals with critical infrastructure issues and operational activities.

The results of the comparison are deeply concerning. The first observation is that none of the three systems identifies the roles, structure or process that would be commonly used in cyber incidents. A comparison of the military ICS to NIMS/ICS highlighted significantly different methods for managing emergency incidents. It is unlikely that state and local emergency authorities would be fluent in the military’s systems and vice versa. The second observation is that neither of the systems is well suited for managing a cyber incident. Although the military and NIMS/ICS models handle traditional forms of emergencies, they need to be augmented for a model specifically designed for cyber incidents.

How prepared is your community, state, organization or unit to respond to and manage a cyber disaster? Characteristics of effective cyber emergency management must be researched and defined to provide detailed guidance that emergency managers need. Anyone who has worked on a data breach or other cyber incident knows the complexities of those incidents. When you add the problems caused by the disruption of our critical infrastructure, those complexities can and will begin to bring into sight the huge challenges of managing a hybrid — cyber and conventional — event. With the increasing threats of a cyberattack against our critical infrastructure, NIMS/ICS and DOD’s ICS must be updated and enhanced to deal with managing cyber incidents. Failure to deal with that now, before we are in the heat of an incident, can and will negatively affect all efforts to bring a cyber incident to a timely and successful conclusion that mitigates our losses.

Read Kevin Coleman’s new blog at www.defensesystems.com. It provides provides cyber intelligence and insight into the evolving domain of digital conflict necessary to stay ahead of the growing threat from online attackers.