Costly, dangerous and disruptive cyberattacks are still on the rise, and the recent targeting of critical infrastructure is particularly alarming. This year alone, bad actors have unleashed digital mayhem on vital facilities and organizations between February and June, including more than 150 government agencies (mostly in the U.S.), a Florida water treatment plant and the Colonial gas pipeline.
Criminal groups have found a lucrative business model in launching various cyberattacks against under-protected victims. The number of attacks against critical infrastructure has increased across many sectors, including government offices, power, gas, water treatment plants and transportation control systems. This is concerning because it represents a whole new category of threat — one that goes beyond natural, technological and adversarial failures. We are also facing dangers perpetrated by criminals prepared to put lives at risk by disrupting critical services upon which we depend.
Cyberattacks are different
We need to address cyber threats with more urgency, given the growing risk they pose. This includes making them more of a focus when it comes to emergency planning and disaster preparedness. One important document in the emergency management ecosystem is FEMA’s Comprehensive Preparedness Guide, CPG 101, which guides the fundamentals of planning and developing emergency operations plans.
The guide divides hazards into three categories. The first two are “natural” hazards (caused by forces of nature) and “technological” hazards (events or emergencies involving manmade materials). The third type of hazard is what FEMA calls “adversarial or human-caused” events — a group it describes as disasters created by man, either intentionally or by accident. The examples it lists of these types of hazards are terrorism, school violence, and cyber events.
FEMA recognizes that a capabilities-based approach is required when preparing to prevent, protect against, respond to and recover from all types of emergencies. Effective emergency management focuses on preparedness involving all stakeholders. Whether for natural disasters or cyberattacks, it takes a village to reduce vulnerability to the risks. Given ever-increasing cyber threats, stakeholders should foster a culture of cyber preparedness. This can be done by making cyber events a major hazard category in emergency management.
As a public administration academic, Brian Nussbaum has said, “It is no longer possible to engage meaningfully in emergency management or disaster response without thinking of cyber risks and information technology.” Today’s frequency and scope of cyberattacks are so immense that they warrant being a major hazard category.
Why sharpen our focus?
As a major hazard category, enhanced cybersecurity capabilities within the emergency management spectrum would enable practitioners to collaborate and coordinate across different agencies, functions and all levels of government. To add, it would lay the foundation for stakeholders’ needs for future all-hazards efforts. Just like a traditional response to a natural disaster, stakeholders must also be ready to respond to a cyber event, as a cyberattack can cause physical consequences. These physical consequences could result in significant impacts on governments, businesses and individuals.
It is also vital that cybercriminal activity stays in the public spotlight. A recent Armis survey of Americans found a general lack of knowledge and awareness of major cyberattacks on critical infrastructure. Returning to two of the significant recent incidents mentioned at the beginning of this article, more than 21% of the 2,000 respondents in the Armis survey had not heard about the cyberattack on the Colonial gas pipeline, and 45% of Americans were not aware of the attempted tampering of Florida’s water supply.
Public awareness and support have always been a cornerstone of effective emergency management. However, with the potential threats from cybercrime so high, the public must understand the dangers of any cyber-related event.
Having cyberattacks redefined as a major part of the disaster and emergency planning matrix would also have important benefits at political, leadership and staffing levels. It would ensure policymakers keep cyber risks top-of-mind and give emergency management practitioners a robust platform to spread the message.
Tackling cybersecurity with an emergency management mindset would also help industries that traditionally preferred to pay the ransom rather than take any other steps to prepare their cyber responses. For example, the manufacturing sector receives twice as many attacks as the construction, technology and retail sectors combined because they cannot afford to shut down systems for any length of time. Preparing for cyberattacks can build resilience and help create resistance.
The White House and federal agencies have increased the emphasis on cyber risks this year. Still, momentum must extend further to ensure it becomes a national priority at all levels. As Nussbaum puts it: “Overall, if the goal is to build a nation that is more secure against [cyberattacks], one of the key constituencies that need engaging is state and local emergency managers.” Given the possibilities of cyber threats to come, a unified, top-down approach is urgently needed.