Cover: Managing Response to Significant Cyber Incidents

Managing Response to Significant Cyber Incidents

Comparing Event Life Cycles and Incident Response Across Cyber and Non-Cyber Events

Published May 12, 2022

by Quentin E. Hodgson, Aaron Clark-Ginsberg, Zachary Haldeman, Andrew Lauland, Ian Mitch

Download

Download eBook for Free

FormatFile SizeNotes
PDF file 1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 Format Price
Add to Cart Paperback102 pages $23.00

Research Questions

  1. What are the similarities and differences between cyber incidents and other incidents in terms of how they occur?
  2. How might these similarities and differences affect the types of decisions incident responders have to make, activities that responders need to undertake, and information available to them to inform those decisions and activities?
  3. Do these distinctions, in turn, call for a different approach to cyber incident response, or are the current structures, mechanisms, and approaches sufficiently adaptable to account for the distinctions?

Cyber incident response has evolved based on systems and processes developed for other types of incident response, such as response to natural hazards. Large-scale cyber incidents that would have an impact on the United States' national and homeland security, economic security, and public safety and welfare to date are rare. However, they may have additional complications that make them more complex to plan for, including challenges in distinguishing the early stages of a significant cyber incident from a more quotidian incident, and the diversity of stakeholders involved. In this report, RAND researchers compare and contrast incident response for cyber and other types of hazards, both human-caused and natural, to derive initial insights into their similarities and distinctions. The report suggests some ways to improve preparedness for cyber incident response and propose additional areas requiring further research. Recommendations include developing more rigorous and dynamic joint public-private exercises, conducting further analysis to identify how systems could fail through a cyber attack to inform early warning efforts, and developing decision mechanisms and shared understandings that will facilitate coordinated activation and execution of incident response plans.

Key Findings

Various factors may make responding to a significant cyber incident more challenging

  • The preparations for significant cyber incidents in comparison with terror attacks, natural hazards, and public health emergencies are more complex due to the low likelihood of advanced warning, the high degree of uncertainty around an incident's scope and scale, the relative inexperience with responding to significant cyber incidents, and the high degree of diversity across responder groups.
  • High uncertainty in the early stages of a cyber incident can make initial interventions difficult to calibrate correctly because the vectors that lead to a standard cyber incident and a significant cyber incident are often similar.
  • The timing of an incident and the potential for multiple attacks can also pose challenges for responders, who may find it more difficult to coordinate as the cyber incident unfolds.

The disparities in response capabilities among entities — both public and private — are also a consideration for cyber incidents

  • Domestic cyber incident response still largely depends on voluntary coordination and cooperation between U.S. public and private sectors.
  • The U.S. response to natural hazards is built on decades of operational experience, while terrorist and significant cyber incidents are less frequent.
  • Despite efforts to establish processes for cyber incident response, the lack of experience in exercising those mechanisms in a robust manner means that it remains unclear how successful those efforts will be once implemented.
  • Some affected entities may not wish to share information on an incident, whether because of concerns over legal liabilities, reputational impact, or other factors.

Recommendations

  • Government stakeholders involved in incident response planning should consider developing a series of exercises that focus on critical uncertainties in response planning and execution. The series would also identify critical information requirements and spur follow-on action, such as establishing information-sharing requirements and protections.
  • Organizations should conduct analysis to inform incident identification and provide a clearer understanding of the ways in which complex systems can fail and lead to cascading effects so that cyber incident responders and other entities can establish indicators to watch out for.
  • Additional joint public-private contingency planning could help identify required information and agreed mechanisms for determining when a significant cyber incident has occurred and warrants activating joint public-private incident response plans.

This research was funded using internal funding generated from operations of the RAND Homeland Security and Defense Center (HSRD) and conducted by the Strategy, Policy and Operations Program.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.