More state governments need to start assembling plans for how they would deal with a widespread cyberattack, according to a new paper from the National Governors Association. Adopting a cyber disruption response plan, the organization found, is increasingly urgent for states at a time when threats like ransomware are thriving and fears of attacks against critical infrastructure like electric grids are growing.
While all states now have incident response plans, documents outlining how they should react to attacks on government IT infrastructure, more need to develop practices for handling events that “pose demonstrable harm” the public, the economy or the United States’ national security, the NGA paper says.
Fifteen states have made their cyber disruption response plans public, and several more have plans that are kept under wraps, said Michael Garcia, an NGA senior cybersecurity and homeland security analyst. But most of the publicly disclosed plans date from before the federal government’s 2016 implementation of the National Cyber Incident Reporting Plan, which lays out how a major cyberattack would be dealt with, including roles for state and local governments; just four states — Arizona, Connecticut, South Carolina and Wisconsin — wrote their plans after the NCIRP was released. Older plans tended to be based off previous federal cybersecurity guidance, such as the National Institute for Standards and Technology framework and early drafts of the NCIRP.
Unsurprisingly, there is little uniformity among different states’ response plans, though nine of the 15 documents the NGA reviewed were written as extensions of those states’ pre-existing emergency operations plans. There are differences in how cyberattacks are evaluated — across 15 states, NGA found seven methods of classifying threats. Connecticut, for instance, uses a five-level threat schema ranging from “low” to full-blown “emergency.” Maine, meanwhile categorizes cyberthreats as “minor,” “major” and “disaster.” Wisconsin’s plan leaves it to the senior official in charge to classify the level of attack.
There is also no universal standard for which government agency takes the lead in an incident. Six states give authority to their information technology departments, another six split authority between IT and emergency management agencies, while three defer to emergency management outright.
Despite the many differences, though, cyber disruption response plans are a sign that an organization has matured, Garcia said.
“Nearly every state has an incident response plan,” he said. “[A disruption response plan] involves a lot more time and energy.”
Incident response plans kept by IT agencies, though, often aren’t robust enough for a disaster situation, the NGA paper states. Beyond directly mitigating cyberthreats, NGA also recommends states take care to maintain business operations, evaluate potential financial impacts, manage the public narrative and share what they’ve learned with other entities that could potentially be affected by the same threat actor.
As a result, cyberattacks should be tackled with a “whole-of-state” approach that includes IT staffs, emergency management and homeland security personnel, law enforcement and the National Guard.
The NGA brief goes on to cite Colorado’s response to a 2018 ransomware attack against its Department of Transportation as a model. After a few days of the state Office of Information Technology flailing in its attempt to nearly 2,000 computers, servers and network devices that had been encrypted by SamSam malware, Gov. John Hickenlooper took what was then an unprecedented step to designate a cyberattack a statewide emergency, activating Colorado’s disaster recovery plan. That allowed the state’s homeland security agency to take charge in establishing a unified command structure, reaching out to other states for support, and bringing in additional IT workers and keeping them rested and well-fed.
Maggie Brunner, an NGA homeland security program director, said the “after-action” report issued by Colorado offers a template for a statewide cyber disruption response plan.
“It’s a basic 101 in homeland security management that we have not seen a lot of,” she said. “One of our big takeaways is that you need to train your IT personnel on emergency management. We would like to see more IT officials out there, getting to understand emergency management principles.”
The NGA paper, citing the Colorado example, encourages states to create interagency leadership structures that include chief information officers, chief information security officers, homeland security advisers and National Guard adjutants, with established roles and responsibilities for each official. Other recommendations include adopting a standardized threat-evaluation system like the five-level schema used by the National Cybersecurity and Communications Integration Center, and recruiting civilians with technical expertise to volunteer in an emergency.