The ongoing Russian war in Ukraine has highlighted the need for federal, state, and local level emergency managers to prepare to respond to a “cyber–Pearl Harbor”—a cyberattack with widespread impacts that significantly disrupt critical infrastructure. Although the war today is mostly being fought on the ground, Russia has been waging cyberwar against Ukraine for years—including an attack in 2016 that shut down much of its power grid, and attacks in 2017 that disrupted its hospital systems and banks. Such acts of aggression have given rise to growing concerns that Russia could successfully launch similar attacks across the United States and other Western nations. In the past, Russian state-sponsored actors have targeted government agencies, election organizations, and critical health care, pharmaceutical, defense, energy, nuclear, water, aviation, and manufacturing infrastructure in the United States, Germany, United Kingdom, and other countries. In fact, at the end of last month, President Biden issued a warning that the Russian Government is exploring options for cyberattacks on the United States.
Outside of the Russian threat, we know of the devastating toll of ransomware on hundreds of hospitals in recent years—compromising access to vital payroll and electronic health records and patient monitoring equipment. Attacks have also impacted U.S. oil and gas infrastructure and crippled the police, telephone, and public transportation systems of many cities. These attacks could cost lives; in extreme cases, patients in critical condition have died when they had to be transferred to different hospitals or otherwise had delayed treatment because of the impacts of cyberattacks. And disruptions to other infrastructure could also be incredibly dangerous, like hackers’ (fortunately thwarted) attempts to poison the water supply of a water treatment plant in Florida. We don’t know if, when, or how cyberattacks on the United States will occur, but we know that the threat is increasingly real (PDF). In the context of a heightened cyber threat environment, emergency managers should actively prepare for cyberattacks and learn to expect the unexpected.
As organizational and operational leaders responding to all varieties of emergencies and disasters, local emergency managers play a crucial role in mitigating the impact of cyberattacks by responding to any potential cyber–Pearl Harbors. Unfortunately, emergency managers currently face significant challenges when it comes to managing cyberattacks. One major challenge is a lack of resources. Many local emergency management agencies are understaffed and underbudgeted (PDF), already struggling to meet the demands of numerous (and sometimes concurrent) disaster responses. Smaller communities may be particularly stretched—where staffing for emergency services, cybersecurity, and IT can be very limited, and emergency managers may also serve in other roles.
The relative rarity of cyberattacks is another challenge. Although cyber threats are steadily increasing, they are still not occurring at the same rate as natural hazards. The relative infrequency of cyberattacks compounds local resource limitations, as leaders may be unwilling to allocate necessary funding for preparedness planning and other tools for improving response. Similarly, local emergency managers may not be able to develop the technical skills and experience necessary to plan and prepare for cyber threats in the same ways that they can gain skills for other crises, namely through on-the-ground experience through response.
Such a lack of technical, firsthand experience on how to actually respond to a cyber disaster may be particularly problematic because a cyberattack could take communication systems offline, hampering situational awareness and information sharing. There may be a need to preserve forensic evidence, which can inhibit a rapid and efficient response centered on moving as quickly as possible towards recovery, requiring modifying standard incident action and implementation planning. A cyberattack may also require engagement with IT departments and other technical experts not typically engaged in emergency response, making coordination and collaboration more difficult and hindering resource mobilization.
Fortunately, while cyber threat events are unpredictable, strategies to build better responses are not.
Fortunately, while cyber threat events are unpredictable, strategies to build better responses are not. As with responses to other emergencies, cyber disaster management improvements will most likely not come primarily from technology, but rather from new ways of organizing, improved resource allocations, and investments in people and processes. Training plans for cyber threats may follow established practices, the same training and planning processes emergency managers use already—such as using tabletop exercises to improve response to public health incidents and natural hazards like earthquakes, hurricanes, and floods. From these may come to light new ways of working together. Similarly, emergency managers frequently engage in all-hazard planning processes and training: these can be expanded to include responding to cyberattacks. Building cross-functionality and mutual understanding between cybersecurity IT specialists and incident managers will likely be critical. Additionally, a strong cyber threat knowledge base in emergency management should be taken as a necessity. Because knowledge on effective cyber response is nascent, when cyberattacks do occur, the incident management experiences should be used to develop lessons that can be broadly transferrable and incorporated into cyber planning, preparedness, response, recovery, and mitigation efforts.
Emergency managers may be able to creatively utilize existing resources to successfully respond to cyberattacks. For instance, in many places around the country, libraries are already vibrant community hubs where people are accustomed to gathering for information—a natural, physical location for incident messaging if communication infrastructure is shut down during an attack. There is also an opportunity to develop resource investments in ways that are truly multi-hazard, limiting cyber-specific expenditures to keep costs down. For example, alternative communication systems for cyberattacks are useful whenever disasters like earthquakes and power outages disrupt communication networks. Planning processes for health facilities during cyberattacks on hospitals can similarly be folded into general planning budgets for all disasters. These dual benefit approaches can be useful for “no regrets” investments and have been tried and tested for other hazards with high levels of uncertainties, like climate change-related disasters.
Cyberattacks must be treated with the same urgency as any other significant hazard that has the potential to cause major infrastructure damage and cost lives.
Initial investments in exercises, trainings, and upgrades to hardware and software may be steep, but so is the price of not preparing to manage and mitigate cyberattacks. Cyberattacks must be treated with the same urgency as any other significant hazard (like a fire, flood, or hurricane) that has the potential to cause major infrastructure damage and cost lives. Large federal agencies may provide valuable support for some of these efforts. For instance, in the United States, disaster management and response agencies like FEMA, CISA, and CDC could potentially provide resources for planning and coordination, and assist communities in building a better local response, given that cross-city learning is key, and city-level resources are slim. It is not possible to control if or when these attacks will happen, but what can be controlled is folding our preparation for cyber threats into manageable components of all-hazards response planning. This would strengthen our emergency response capabilities and make programs more sustainable, requiring a smaller amount of maintenance funding as staff turnover occurs and new hazards emerge.
Clara Decerbo is director, Providence Emergency Management Agency, Grace Hindmarch is a research assistant at the RAND Corporation, and Aaron Clark-Ginsberg is a social scientist at RAND. They are collaborating on a project developing measures of performance for incident management. You can learn more about the project and opportunities to participate in piloting the measures.
This commentary originally appeared in IAEM Bulletin on April 18, 2022. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.