Welcome to lesson 34. In this lesson, we're going to take a look at responding to cyber attack. From the previous two lessons, we learned that there's no going back and no getting over the cybersecurity problem. That means that at least for the foreseeable future, we're going to have to live with the cybersecurity problem. Understanding therefore, that cybersecurity is about risk management, it's reasonable to say it's not a matter of if but when you're going to get hacked. The question is what do you do. Again, going back to our working definition of Homeland Security, safeguarding the United States from domestic catastrophic destruction, we know that safeguarding entails actions across all phases of disaster and that they are prevent, protect, respond, and recover. Actions to prevent and protect from catastrophic destruction are generally taken before an incident occurs. Actions to respond and recover only become necessary after an incident occurs. Accordingly, if we write these actions on a timeline representing some incident, indicated by the word boom, we can see that prevent and protect actions occur to the left of the boom, while respond and recover actions occur to the right of the boom. This is just an easier way of understanding the dynamics of catastrophes, the same way our working definition of Homeland Security makes it easier to understand the official definitions of Homeland Security. Anyway, if you look back at cybersecurity models we studied in part two and part three, you will notice they include actions both to the left and the right of the boom. Just because you've succumbed to cyber attack doesn't mean your cybersecurity has failed. The success of your cybersecurity strategy still depends on how quickly you can respond and recover from cyber attack. This is where those investments, possibly harder to justify to management, prove their worth hundreds of times over. Obviously, the quicker you can recover and return to normal operations, the smaller the impact the cyber attack will have on your mission. The ability to quickly recover or return to normalcy is termed resiliency. Is it possible to achieve resiliency on an order such that your mission is never compromised? I don't know. Certainly, that could be a goal but I suspect it probably is not a cost-effective one. Redundancy and replacement are measures most often used to counter outages. As with the electricity subsector, it is cost prohibitive to maintain sufficient stocks of spares and generators and transformers. And while the grid is massively redundant, that same redundancy makes it sensitive to fluctuations such that tree branches falling on power lines in Ohio could cause the 2003 Northeast blackout, cutting power to 55 million people living in the United States and Canada. Like everything else, you're constrained in your recovery options. The question is, where do you turn for help if you suffer an incident that exceeds your planning parameters? The National Infrastructure Protection Plan encourages industries to form partnerships and help each other if such incidents should occur. The obvious advantage of working within your industry is that you're more likely to have greater interoperability of skills and equipment because you share common practices. The biggest drawback to working within your industry is that the best-qualified responders may be your competitors. This inherent conflict works against collaborative planning for collective incident response. Your next option is to turn to government. As we mentioned in lesson nine, ICS-CERT maintains deployable teams ready to respond upon request. The problem is, they wouldn't be familiar with your site installation and there may not be enough of them to help. It is partly for this reason that the Department of Defense is developing its own Cyber Mission Force. The Cyber Mission Force will be comprised of 133 teams of about 46 people adept in cyber operations. Most of the teams will be dedicated to military missions in cyber defense and cyber offense. About 13 teams, 10 percent of the force though, will be dedicated to protecting the nation's infrastructure. Presumably, they will be on call to assist with restoring cyber-physical systems following a successful cyber attack. These forces could be activated as deemed necessary by placing a call to the Department of Homeland Security US-CERT 24 Hour Security Operations Center. However, don't place your call yet. The Cyber Mission Force is not expected to become fully capable before October 2018. Even so, with all government support, you probably shouldn't expect any assistance to arrive on scene before 72 hours after you placed the call. It then begs the question whether the support might be too little too late. Let us review the main points from this lesson. It is not a matter of "if" but a matter of "when" you're going to suffer a significant cyber attack. All of the cybersecurity models studied in this course included response and recovery actions taken after an incident to the "right of the boom". The ability to quickly recover and return to normalcy is called "resiliency". Perfect resiliency might neutralize the effects of cyber attack, but cost considerations make perfect resiliency an unattainable goal. While professional colleagues may be the best source of cyber assistance, competition may work against collaborative planning. And while ICS-CERT response teams are available, they won't be familiar with your installation and there might not be enough of them to go around. Accordingly, the Department of Defense is developing a Cyber Mission Force of which 10% will be dedicated to protecting critical infrastructure. And finally, as with any government support, don't expect any assistance to arrive on scene before 72 hours after placing the call. Please join me next time when we talk about what can be done to the cyber attacker. Cheers.
