HomeBlogsdgabbard's blog

Coordinating the Response to a Cyber 9/11

Fri, 04/03/2009 - 11:28 — dgabbard

There are no shortage of predictions that the U.S. (and the rest of the world) is vulnerable to and a likely target of a cyber 9/11 or Katrina in the somewhat immediate future. If you believe those predictions, it's not a matter of 'if' - it's a matter of 'when' and 'how.'

With that in mind, and there are some reasonable assumptions which can be made about the nature of a cyber event of those proportions, and about some of the practical preparations which can/should be made in advance of them.

I'd like to lay them out here and spend the next few posts in this area focusing on each of the items in more depth.

Remember, this is one perspective, and it might not be the right perspective. But in the absence of a plan where these types of assumptions are made, tested, and validated, anything can happen.

- Assumption #1 - Not all components of the national infrastructure (or world's infrastructure) should receive equal priority in a response effort. The old military saying - 'if everything is a priority, nothing is a priority' applies here. The nation lacks the resources to respond equally across every sector. That's why the Critical Infrastructure sectors were recently defined and continue to evolve.

- Assumption #2 - Not all Critical Infrastructures are going to receive equal priority. The long and short of this is that there are simply too many sectors and components of the critical infrastructure for equal treatment and priority to be delivered to all of them simultaneously. So there is/should be a hierarchy within even the select Critical Infrastructure sectors.

- Assumption #3 - The scope of the event may not be limited to a specific region like 9/11 or Katrina. Cyberspace doesn't follow traditional regional boundaries. This is obvious, but the ramifications are pretty significant from a response, analysis, and recovery perspective. Size and scope can get out of hand quickly (think 2003 nor

- Assumption #4 - Data about the event(s) needs to be able to flow both up to decision makers and down to responding organizations. This tasking already exists inside the Department of Homeland Security - for the US Computer Emergency Response Team - and the capability is being exercised on a regular basis. Of course, the knowledge of how to get information up to US CERT and how to glean information from US CERT rest with organizations which are doing the response, and their abilities to interface with US CERT are not necessarily known.

- Assumption #5 -  The only way to make sure the processes, data flow, and response capabilities are accurate, comprehensive, and works is to test them. And testing them means putting them to work, in various exercises, with real and critical feedback on the strengths, weaknesses, and road forward across all of the processes, technology, and people that will hold this response together.

I'm sure there are more, but these are a start. I'll take these one by one and dig deeper into each of the assumptions (in significant detail) over the next few weeks.