Responding to Cybersecurity Incidents

Despite the best efforts of any organization, eventually a hacker will succeed and break into a network. The purpose of incident and disruption response is to maintain operations when things go wrong and avoid worst case scenarios. Resilient organizations and states can minimize damage, quickly identify and mitigate harms, and inform affected parties and the public.

What Can Governors Do?

Recommendation 1: Develop a cybersecurity disruption response plan (Two options):

Create a response plan within the state’s emergency operation plan (EOP) as an annex or emergency support function:
  • Avoid duplicating or contradicting existing plans;
  • Use the EOP framework that activates the states emergency operations center (SEOC) or a unified command system, which coordinates activities across all relevant parties; and
  • Coordinate a response through a SEOC, which reinforces the necessity of a whole-of-government response to a cyber event.
Create a cyber disruption strategy that identifies goals and objectives that must be met prior to implementing a plan.

State Example: Wisconsin’s Cyber Disruption Strategy’s 5 Goals

  1. Establish a cyber disruption governance authority;
  2. Identify organizations, roles and procedures;
  3. Develop state agencies’ and critical infrastructure risk profiles and capacities;
  4. Establish communication standard operating procedures across partners; and
  5. Develop and practice response and recovery operations.

Recommendation 2: Test and exercise your state’s incident response plan:

  • Create a five-year plan of exercises with associated budget requirements, like in Illinois.
  • Develop relationships beforehand, as well as understanding the motivations and tools each agency brings to the table, builds resiliency and can mitigate damage.

What is a Cyber Incident and a Cyber Disruption?

A cyber incident typically refers to data breaches, stolen personal identifiable information, unauthorized data encryption or any incident that affects data, which the state CISO has the authority to address. A cyber disruption is an event, either man-made or natural, that temporarily disables critical infrastructure resources, such as electricity, finances and water.

Recommendation 3: Develop a communications plan to inform the public:

  • The governor and state officials will be expected to communicate to the public the nature of the cyber event and efforts underway;
  • Ensure there are measures in place to communicate if various networks are compromised;
  • Be prepared to communicate the following:
    • There is a response plan in place;
    • The non-classified efforts underway to mitigate and respond to the event;
    • The cause of the attack (if known);
    • The extent of the attack (if known);
    • What the public can do to protect themselves; and
    • When the threat has abated.

Recommendation 4: Conduct a thorough after-action report:

  • Convene the response team and affected agencies to write a thorough after-action report;
  • Be sure to include the following in the report:
    • Who wasn’t included in the response plan, but ended up playing a role?
    • How are we defining success or failure? Did we pass our pain threshold?
    • Was the response plan followed perfectly or was there a need to improvise? Why or why not?
    • How did the public respond to our message?
    • How effective was our governance structure and chain of command in responding to the event?
    • How effective was law enforcement in preserving data forensics?
    • Was it more important to catch the perpetrators or to eliminate the threat/ event as quickly as possible?