Cybersecurity response: Not just an IT issue but an emergency preparedness priority

These impacts, at a minimum, may be similar to the disruption we all felt with the recent CrowdStrike/Microsoft outage. While not due to a cyberattack, that incident still resulted in air travel disruptions and other impediments felt beyond IT departments. In worse cases, the impacts of cyberattacks could be the equivalent of the destructive consequences of a natural disaster, such as a hurricane.

Given the stakes, cybersecurity threat response requires a different mindset that views attacks as resulting in the same “whole of society” consequences as a natural disaster or physical attacks that have endangered lives. Such a response requires agency leadership to ensure that all stakeholders in their agencies, including those not working in technology organizations, begin to consider cybersecurity as an emergency response and preparedness mission — not merely an IT resilience discussion. 

The consequences of cyberattacks extend beyond agency IT departments. Traditionally, we think of cyber protection as a technology issue and respond accordingly — e.g., how to recover from an incident, how to identify and mitigate attacks, how to prevent exfiltration and other technical fixes. 

Focusing solely on this approach falls short, because it does not consider the kinetic events that will surely follow and the possibility of real harm. Successful cyberattacks can result in the same dangers as any natural disaster, where people’s lives are at a minimum disrupted but can also have their lives and livelihoods put at risk. An attack on the electrical grid, for example, could leave thousands or even millions without power. During a heat wave or freeze, vulnerable people could be in real physical danger. And civil unrest could potentially follow.

The more dependent we become on the conveniences of technology, the more vulnerable we become to any cyber incident. One entry point into our connected world can certainly introduce a host of other system vulnerabilities. Consequently, cybersecurity should be viewed as a “whole of nation and society” issue.

In light of this, federal leaders can better protect their constituents by taking a broader view, looking at and responding to cyberattacks in the same way they have traditionally responded to natural disasters or other physical emergencies. Such an approach would represent an extension of the existing trend of incorporating non-IT assets into cybersecurity planning and looking at the operational impact that lies beyond IT assets. Government and private sector organizations have begun to recognize that physical and virtual assets like operational technology, internet of things, building management systems and more must be protected from cyber threats in the same way as IT.

For instance, in government, this could take the form of an attack on internet-connected building access systems and security cameras. To address this, responses to cyberattacks should include input and action from the facilities management organizations that hold responsibility for those systems and devices. In another example, agencies with medical missions should include in their cyber response activities those organizations responsible for internet-connected devices such as MRI machines and other clinical assets, which may also be vulnerable to cyberattacks that could result in risks to people’s lives in the event of a disruption or shutdown.

This change in approach must be initiated at the highest levels of government agencies, by department secretaries and deputy secretaries. Leadership needs to develop emergency response plans that include all stakeholders, outlining roles and responsibilities for each. They then should run scenario exercises similar to those used in cases of natural disasters or active shooter incidents. As they do in other emergency situations, they must regularly coordinate their planning and exercises with external organizations, including the Cybersecurity and Infrastructure Security Agency, the Federal Emergency Management Administration and the Federal Bureau of Investigation.

Although this represents a fundamental change to cyberattack response, it does not necessarily require a heavy lift for agencies to implement. In many organizations, these processes are already in place for physical events. It can be a matter of simply “plug and play” to extend those to include cyberattack responses.

There is a critical danger to ignoring the potential of cyberattacks in impacting the lives of U.S. citizens. Government leaders should take steps now to mitigate those risks by treating cybersecurity events in the same way they treat other types of threats.