SBN

New Issue Brief: State Cyber Disruption Response Plans

On July 11, 2019, the National Governors Association released a new publication on the topic of Cyber Disruption Response Plans across America.

As the topic of critical infrastructure disruptions caused by different types of cyberattacks has risen to become a top priority for federal, state and local governments, the need to coordinated incident response has become even more vital. From areas that range from the electric grid to transportation systems to election security, the coordinated capability to respond to a new range of cyberthreats has accelerated the need for these new emergency strategies and response plans.     

Here is the new NGA brief summary:

“The National Governors Association (NGA) released an issue brief to examine state cyber disruption response plans. States and territories count on experienced teams of public safety and emergency management professionals to prepare for, respond to and recover from natural and human-made disasters. With the integration of information technology into critical services, state and territorial officials must now expand their focus to consider the consequences of cyberattacks that have physical impacts and threaten public safety.

This issue brief examines state cyber disruption response plans that governors are developing and testing in preparation for cyberattacks that demand coordination across state agencies. These plans detail the agencies that must respond to an incident, their roles and responsibilities, and how they will coordinate resources. This issue brief also examines how these plans align with the U.S. Department of Homeland Security National Cyber Incident Response Plan, which establishes protocols to guide any federal and state response to a “significant cyber incident.” It concludes with recommendations for state leaders who are creating or revising their own response plans.”

You can download the full 38-page report here.  

Topics covered in this new issue brief include:

  • State Cybersecurity and Response Planning
  • State Cyber Disruption Response Plans
  • The National Cyber Incident Response Plan
  • Recommendations for Creating a State Cyber Disruption Response Plan
    • State Cyber Response Plans and the Emergency Operations Plan
    • Threat Schemas and Plan Activation
    • Lead and Supporting Agencies
    • Roles and Responsibilities
    • Cyber UCG and Cybersecurity Response Teams
  • Conclusion
  • Appendix (With Table Showing Public Plans in States and Where the State Plan Resides)
  • References

Wider NGA Resources on Cyber

The National Governors Association offers governments a wealth of helpful resources related to cybersecurity. The Resource Center for State Cybersecurity includes these many links and helpful documents, brief and websites. Here are a just a few related to cyber disruption response:

Resources

External Resources

NGA recently announced a new plan to assist seven states on cybersecurity strategies. Here’s an excerpt from that press release:

“As states and entities within their borders face a growing threat of cyberattacks, the National Governors Association (NGA) will work with seven competitively selected states and territories in 2019 on strategies to enhance statewide cybersecurity.

Staff from the Homeland Security and Public Safety division of NGA Solutions: The Center for Best Practices will assist Arkansas, Guam, Louisiana, Maryland, Massachusetts, Ohio and Washington to develop action plans to advance and refine key priorities in cybersecurity. …”  

Brief History on Cyber Disruption Response Plans in the States

Back in 2011, when I was CSO in Michigan, I spoke at a SecureWorld Expo event in Boston where I met a team working on cyber disruption response planning. The New England Regional Catastrophic Preparedness Initiative (NERCPI) presented their Regional Cyber Disruption Planning efforts. Their excellent presentation, which was supported by several northeast states, including Rhode Island and Connecticut, and the U.S. Department of Homeland Security can be seen here.

I believe that NERCPI effort was the first formal state government approach (that I am aware of) to address cyber disruption response in the states.

In Michigan, we formed several public-private partnerships on cybersecurity and learned from NERCPI, but took a different approach. Our efforts at the time, described in this 2011 Michigan Cyber Initiative, offered a ground-breaking document for the nation in numerous respects. One specific project that flowed from that cyber initiative was our first Michigan Cyber Disruption Response Strategy in 2013.

The Michigan Cyber Initiative was updated in 2015, and an updated, and revised Michigan Cyber Disruption Plan was released later that year.

Many of these coordinated actions on cyber between state and local governments and the private sector are documents in this FEMA Lessons Learned on Information Sharing Document. The FEMA documents summarized the Michigan best practices in this way:

“The Lessons Learned Information Sharing (LLIS.gov) research team identifies lessons learned derived from real-world or exercise experiences within the whole community and documents these lessons for emergency managers to consider when developing plans and exercises. In response to the growing threat of cyber attacks to the State of Michigan, a coalition of public and private sector partners developed and implemented a new framework for addressing cyber challenges. As a result, Michigan released the Michigan Cyber Initiative (the Initiative) in October 2011, followed by the Michigan Cyber Disruption Response Strategy (the Strategy) in September 2013. This holistic, partnership-based approach improved the State’s overall cybersecurity posture, and provides a valuable example for other jurisdictions to consider in their own cyber response framework development. …”

Other states, like Wisconsin, formed similar initiatives which followed the Michigan model on cyber disruption planning. (These examples are listed in the NGA briefing just released.)

Note that several states do not make their cyber disruption response plans public, but prefer to keep them as “eyes only” documents for government staff and contractors.  

Final Thoughts

As the governors prepare to convene in Salt Lake City later this month, cybersecurity is once again on the agenda as a session.

The topic of cyber disruption plans was an important discussion in Shreveport, La., at the National Summit on State Cybersecurity in May, and cyber disruption planning will continue to be a top action item, just as it has been for several years.

This blog from 2015 describes the importance of the cyber disruption topic for states at that time.

However, major cyber incidents have recently caused government disruptions (like ransomware attacks in Baltimore and many Florida cities). These cyberattacks have propelled this specific response issue to the top of the agenda for state and local governments all over the country.

This new issue brief can help.