Cybersecurity Exercise Reveals Authority Confusion

A cybersecurity exercise hosted by the Intelligence and National Security Alliance (INSA) revealed complications that can arise in the response to an attack on critical infrastructure including challenges in establishing authority among multiple agencies and levels of government.

The tabletop exercise placed 70 participants–ranging from Federal and state personnel, infrastructure operators, and cybersecurity experts–in the scenario of responding to a hypothetical cyberattack on power companies in Baltimore, with a focus on the National Institute of Standards and Technology’s cybersecurity framework.

INSA’s post-mortem report points to the challenges of having multiple agencies involved in the response.

“While many organizations play an important role in mitigation and recovery, lack of clear operational authority can hamper the collective effectiveness of these organizations,” INSA said. “While participants in response and recovery efforts must have a clear understanding of their own roles and responsibilities, they must also know who is in charge.”

The challenges of cross-agency collaboration also include information sharing and communications, the trade group said.

“One of the principal takeaways from the INSA tabletop exercise was the need to share information widely. Exercise participants highlighted that government and industry stakeholders needed to establish, and even incentivize the use of mechanisms for sharing information on the attack,” the report notes.

“While the TTX scenario was challenging – posing a dynamic situation, myriad effects and uncertain attribution – it was also clear that stakeholders were already well prepared,” the report states.

INSA recommended several actions to support stakeholders and remove obstacles to collaboration.

“Clarifying who will lead a response effort under varying circumstances, perhaps in MOUs to which stakeholders across federal and state governments and private industry agree, will enable a smoother, more coordinated response,” the report recommends.

On the subject of information sharing, the organization recommended that state and Federal actors identify sharing mechanisms before a crisis, create a mechanism to share intelligence information, and proactively determine what information needs to be shared with which parties.

INSA called on policymakers to “consider ways to incentivize companies and government agencies to share information and coordinate in a crisis.” The report recommends that states establish a Unified Incident Commander “to oversee a leadership, communication, and information hub.”

Recent