Exercise. Exercise. Exercise.

By Mary Kavaney

And no, not the physical type…think cyber!

The Potomac Institute for Policy Studies stated in their November 2015 Cyber Readiness Index 2.0 Report that “No country is cyber ready.” While we can argue about the accuracy of that statement, the fact that a group of well-respected experts came to this conclusion is in and of itself disturbing. We spend more money each year for cyber security protection, yet the attacks increase in number, magnitude, and sophistication.

How do we change this paradigm?  Exercise. Exercise. Exercise.

While the cyber state of readiness of our respective nations is beyond our control, we can (and must) engage in thoughtful, meaningful, and close to “real life” cyber exercises in our respective jurisdictions. This certainly is not a new concept, but it takes real resources, cooperation, and coordination to create relevant and useful exercises with the vital partners.

I attended such an exercise recently in a major jurisdiction. It was apparent that it took considerable time and energy and was enlightening for both observers and players alike. Some jurisdictions are beginning to incorporate cyber components to their disaster management plans, but cyber exercises are a critical piece of the puzzle. The difficult to answer questions must be asked and answered before an event occurs, and all the critical agencies need to be at the table to address those situations.

Ask yourself this:

  • Are the departments within your jurisdiction operating under a common set of protocols, so it is clear what information will be shared and when?
  • Do the relevant executives have a basic understanding of the ramifications of a cyber attack? In other words…Do the policy and technical people speak the same language and, if not, that must change.
  • If an attack took out the 911 call center, what is the back up plan?
  • If critical data is encrypted through a ransomware attack, is your jurisdiction prepared to pay or is the data properly backed up?
  • Are the agencies and personnel familiar enough with each other before the incident that they can come together under this common protocol and address the immediate needs of the jurisdiction?
  • Does your jurisdiction integrate the technical staff into the decision making process during an event?
  • Does your jurisdiction follow basic cyber hygiene to help prevent an event in the first place? Count, Control, Configure, Patch, Repeat.
  • Do your protocols include basic training with staff including phishing exercises, password strength testing, and general awareness training?

Desktop exercises are not new to any of us, but with the ever-changing cyber threats, they need to be regularly scheduled within all jurisdictions and with all the right people.

The author, Mary Kavaney, is the Chief Administrative Officer at the Global Cyber Alliance.