Panelists at a homeland security conference in Washington said Tuesday that responses to incidents like natural disasters or cyberattacks that involve multiple layers of government need to revolve around the local officials who represent the affected geographic area. That approach, they said, is essential to making sure residents understand the scope of the disaster and that recovery operations are taking place.
“City managers want to see the police chief and fire chief,” Mike Steinmetz, Rhode Island’s statewide cybersecurity officer, said at the AFCEA Homeland Security conference. “People want to see the police chief and fire chief and city manager and mayor.”
Steinmetz, a former Navy officer and strategic director at National Grid, a New England electric utility, recalled a series of natural gas explosions in Massachusetts last September, saying that the most important public officials in that incident were the mayors of the towns where pipelines ruptured, while others, including Gov. Charlie Baker, played supporting roles.
But while many cities and states are confident in responding to natural and industrial disasters, they often run immediately to the federal government in the event of a cyberattack before assessing their own, in-house capabilities, said Maj. Gen. Mike Stone of the Michigan National Guard. Stone recounted his participation in the U.S. Army Cyber Institute’s Jack Voltaic 2.0 exercise last July, which simulated a broad cyberattack against the city of Houston during a major — and also simulated — natural disaster.
The Jack Voltaic 2.0 drill put city, county, state and federal officials through three days of tabletop exercises and virtual environments using a scenario in which a hurricane response was interrupted by cyberattacks by a nation-state against supply chains, infrastructure like water-treatment facilities and public information. About 200 people representing 44 organizations took part in the exercise. While the Houston officials were well-practiced at dealing with a major storm — Hurricane Harvey struck the city in September 2017 — they were not as confident with their cyber abilities, Stone said.
“Everyone had just gone through a major hurricane and gone through the incident command system where disasters start local and end local,” he said. “The locals don’t always understand what cyber capacity exists. A lot has been built at the state and local level, but the city manager doesn’t always know that.”
And while the military has extensive cyberwarfare capabilities, Stone said that if the situation played out in the Jack Voltaic exercise were to happen in real life, it would still play a supporting role in the response.
“In the Army, we don’t want to be in charge of the homeland, we want civilians to be in charge,” he said. “You don’t want people in uniform on every single keyboard and to wait for the hearings afterward.”
A report published after the Jack Voltaic exercise encourages responses to cyberattacks that coincide with physical disasters by led by non-military organizations, and stresses collaboration between as many stakeholders as possible, including the private sector and power and water utilities. The report also recommends that cities build their response plans from the ground up.
“For the Nation to defend itself, U.S. cities need an adaptable and scalable model to improve the cybersecurity posture,” the report states. “A bottom-up approach is required to integrate a risk-management framework that is replicable and adaptive to the rapidly evolving threat to urban communities.”