The United States has a long history of preparing for and responding to large-scale incidents affecting public safety and homeland security. However, it does not have comparable experience in responding to cyber incidents. This report examines U.S. processes for non-cyber emergency management and whether U.S. officials can learn from these events to help public and private sector stakeholders improve preparations for response to cyber attacks.
Managing Response to Significant Cyber Incidents
Comparing Event Life Cycles and Incident Response Across Cyber and Non-Cyber Events
- What are the similarities and differences between cyber incidents and other incidents in terms of how they occur?
- How might these similarities and differences affect the types of decisions incident responders have to make, activities that responders need to undertake, and information available to them to inform those decisions and activities?
- Do these distinctions, in turn, call for a different approach to cyber incident response, or are the current structures, mechanisms, and approaches sufficiently adaptable to account for the distinctions?
Cyber incident response has evolved based on systems and processes developed for other types of incident response, such as response to natural hazards. Large-scale cyber incidents that would have an impact on the United States' national and homeland security, economic security, and public safety and welfare to date are rare. However, they may have additional complications that make them more complex to plan for, including challenges in distinguishing the early stages of a significant cyber incident from a more quotidian incident, and the diversity of stakeholders involved. In this report, RAND researchers compare and contrast incident response for cyber and other types of hazards, both human-caused and natural, to derive initial insights into their similarities and distinctions. The report suggests some ways to improve preparedness for cyber incident response and propose additional areas requiring further research. Recommendations include developing more rigorous and dynamic joint public-private exercises, conducting further analysis to identify how systems could fail through a cyber attack to inform early warning efforts, and developing decision mechanisms and shared understandings that will facilitate coordinated activation and execution of incident response plans.
Various factors may make responding to a significant cyber incident more challenging
- The preparations for significant cyber incidents in comparison with terror attacks, natural hazards, and public health emergencies are more complex due to the low likelihood of advanced warning, the high degree of uncertainty around an incident's scope and scale, the relative inexperience with responding to significant cyber incidents, and the high degree of diversity across responder groups.
- High uncertainty in the early stages of a cyber incident can make initial interventions difficult to calibrate correctly because the vectors that lead to a standard cyber incident and a significant cyber incident are often similar.
- The timing of an incident and the potential for multiple attacks can also pose challenges for responders, who may find it more difficult to coordinate as the cyber incident unfolds.
The disparities in response capabilities among entities — both public and private — are also a consideration for cyber incidents
- Domestic cyber incident response still largely depends on voluntary coordination and cooperation between U.S. public and private sectors.
- The U.S. response to natural hazards is built on decades of operational experience, while terrorist and significant cyber incidents are less frequent.
- Despite efforts to establish processes for cyber incident response, the lack of experience in exercising those mechanisms in a robust manner means that it remains unclear how successful those efforts will be once implemented.
- Some affected entities may not wish to share information on an incident, whether because of concerns over legal liabilities, reputational impact, or other factors.
- Government stakeholders involved in incident response planning should consider developing a series of exercises that focus on critical uncertainties in response planning and execution. The series would also identify critical information requirements and spur follow-on action, such as establishing information-sharing requirements and protections.
- Organizations should conduct analysis to inform incident identification and provide a clearer understanding of the ways in which complex systems can fail and lead to cascading effects so that cyber incident responders and other entities can establish indicators to watch out for.
- Additional joint public-private contingency planning could help identify required information and agreed mechanisms for determining when a significant cyber incident has occurred and warrants activating joint public-private incident response plans.
Table of Contents
Key Features of Non-Cyber Incidents
Life Cycle of Significant Cyber Incidents
Recommendations and Areas for Future Research