Rather Than Fearing 'Cyber 9/11,' Prepare for 'Cyber Katrina'


(U.S. News & World Report)

A senior airman working in defensive cyber operations at Peterson Air Force Base in Colorado Springs, Colorado

A senior airman working in defensive cyber operations at Peterson Air Force Base in Colorado Springs, Colorado

Photo by Rick Wilking/Reuters

by Andrew Lauland

March 30, 2016

While the nation's attention is rightly focused on the threat of international terrorism and the horror that can be unleashed with conventional weapons, other less conventional but potentially devastating threats still loom.

One such threat is the risk of a cyber-based attack. There is almost universal agreement on the growing risk of a large-scale cyber attack on entities within the continental United States — including critical infrastructure operators, financial institutions and government itself — which could lead to significant economic and social disruption, including the loss of life.

However, rather than fearing a still-undefined “cyber 9/11,” the response to another tragic event in America's history may hold equally important lessons — and solutions — for confronting the cyber threat.

In 2005, Hurricane Katrina struck the city of New Orleans and the greater Gulf Coast with devastating effect. However, neither the threat of a storm of Katrina's magnitude nor the systems and processes for responding to it were new. Katrina represented a major test of the nation's post-9/11 systems for a synchronized, effective, whole-of-nation response to a large-scale emergency, which rapidly overcame the ability of the impacted state and local governments to respond to it.

Most New Orleanians would tell you that the nation failed this test. The Federal Emergency Management Agency was widely criticized and launched major reforms to ensure that a similar circumstance — in which resources were delayed and disorganized, lines of authority were tangled and unclear and impromptu, often self-deployed resources were the order of the day rather than a unified response — could never happen again.

As a result, the United States today has an improving and well-tested system for providing mutual aid across state lines, across different levels of government and between the public and private sectors for such large-scale emergencies.

Unfortunately, the boundaries of this system essentially end at cyberspace. In the event of a true, large-scale cyber event in the United States, although the nation would be required to do many of the same functions required by a response to an emergency in the physical world, there is a high likelihood the response would be at best “a pickup game,” and at worst, chaotic.

While there is agreement on the reality of the cyber threat, far too little has been done in the way of defining this threat and developing a structured response system in a practical manner, as has been done for the “physical world” of natural hazards and man-made and accidental events. Fortunately, neither the problems nor the solutions to them are elusive.

A plain language call to action should start with planning. The attacks of 9/11 killed and injured thousands through direct, physical attacks. A cyber 9/11 may be more likely to result in denial of access to the Internet, widespread loss of access to banking systems leading to fear and unrest or loss of power across unprecedented swaths of the country. There should be agreement on the smallest possible set of responses needed to cover the most likely, worst-case scenarios, which are truly novel to cyberspace and for which plans do not currently exist.

Resources for response in the physical world are “typed” and categorized so that any city or county in the United States can request a “Type I HazMat team” to respond to a chemical or radiological attack; or an “Ambulance Strike Team” to respond to a mass-casualty incident, and any other city or level of government in America is immediately aware of the exact composition and capabilities of that resource. No such language exists in the cyber domain, and the reality is, in fact, the opposite — an often daunting, inconsistent and inaccessible mix of roles and functions. Much as police departments across the country began years ago to abandon “10-codes,” in which “10-3” might mean “suspect in custody” in one jurisdiction and “off-duty” across the county line, there needs to be a common, plain-language taxonomy for key cybersecurity resources which can be understood by those who would be responsible for requesting mutual aid during a cyber event — state and local government officials and emergency managers.

Anywhere in the United States, a citizen can call 911 and report an emergency, and local government will reroute their call to the most appropriate branch of government, usually the fire, police or EMS department. As events escalate from a small, local response to a Katrina-level event in which local resources are overwhelmed, there is a clear chain of response to pull in resources from neighboring local communities, followed by state governments, the private sector and the federal government, up to and including the Department of Defense. This is not the case in the realm of cybersecurity. Too often, lines of authority and capability overlap or are unclear, leading not only to inefficiency and uncertainty but to dangerous gaps. There is a desperate need to define a “federalism of cyber security” as has been done for the physical world.

The Stafford Act provides states with the ability to declare states of emergency and major disasters and provides the president and Congress with the authority to provide assistance. Critically, the Stafford Act also addresses issues of financial support and liability, which can become all too problematic in ensuring a swift and effective response. This ground is unbroken in cyberspace. There are no procedures for declaring a cyber emergency or disaster, but no doubt the day will come when a state governor feels compelled to do so. A paramedic can be deployed from one side of the country to the other and provide life-saving medical care to a disaster victim under the national Emergency Management Assistance Compact without any uncertainty regarding cost, reimbursement or liability. None of these issues have been addressed for the programmer or systems analyst who might be needed to bring a power grid back online.

The goal for the nation is clear. The United States needs and deserves a smooth, well-functioning mutual aid system for cybersecurity that provides all of the hard-won benefits of the nation's system for hurricanes and other “real-world” emergencies. Existing response systems provide a clear and achievable roadmap of the steps the United States could take.

In its darkest hours, the United States has always united to respond to threats. It should plan now for the day that this threat comes not from a storm or an explosive, but from a computer keyboard.

Andrew Lauland is a native of New Orleans and works at the nonprofit, nonpartisan RAND Corporation. He was the state homeland security advisor for the City of Baltimore from 2002 to 2007 and for the state of Maryland from 2007 to 2015. In 2006, Lauland and 150 Baltimore City firefighters, police officers and public works personnel deployed to Gretna and St. Bernard Parish in Louisiana in response to Hurricane Katrina.

This commentary originally appeared on U.S. News & World Report on March 30, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.