No one can predict when disaster will occur. But organizations, whether government or private, can control how well they respond. It is all about risk mitigation...
No one can predict when disaster will occur. But organizations, whether government or private, can control how well they respond. It is all about risk mitigation and resilience. Thinkers at the Center for Strategic and International Studies (CSIS) have pondered how the federal government can help state and local governments improve resilience in what CSIS calls “connected areas”: workforce, climate security, supply chains and cybersecurity. For more, Federal Drive with Tom Temin spoke with Suzanne Spaulding, CSIS Senior Adviser.
Interview transcript:
Tom Temin And we should begin by saying your contribution to this was your cyber expertise. Having run [Cybersecurity and Infrastructure Security Agency (CISA)] and having worked in the federal government on the cybersecurity side for some time. You kind of concentrated on that particular issue, correct?
Suzanne Spaulding That’s right.
Tom Temin All right. Tell us, what are the issues at the state and local level such that the federal government could do some good there?
Suzanne Spaulding The first thing we did, and I should note, as you did, that the report itself on resilience covers in addition to cyber resilience, there’s a section on supply chain resilience on climate change with a particular focus on an impact on energy, and then running through all of them. But also given its own section there, is workforce resilience, which is clearly a thread that pulls across all three of those and upon which their resilience depends. And as you say, I focused on the cyber resilience piece and we had to start, all of us, working on this report by getting our arms around what is meant by resilience, because it’s used so often now and often is used interchangeably with security. But as you pointed out, Tom, in your introduction, resilience is really about how do you reduce the consequences when the things you’ve done to try to secure your network have failed. And that bad actor has exploited a vulnerability and has the potential to cause some significant consequences, not just to your network importantly, but to the functions that network enables. So to your business, if you’re in business, or to your mission essential functions if you’re in government. And so resilience is about what are the plans you have in place to reduce those consequences.
Tom Temin Fair to say, this first came to light in a national way when, I think it was four or five years ago, that Baltimore was hit with a cyber attack such that most municipal functions actually ceased. And it was a few months before they could even get building permits back, going again, transfers of property, the basic functions people turned to a city to do.
Suzanne Spaulding We’re seeing this in cities and towns all across the country. And so, yes, there is a growing recognition that we spend a lot of time in cyber conversations talking about how to deter and prevent the threat, how to reduce our vulnerabilities. Those are important. We don’t spend nearly enough time talking about how are we going to reduce the consequences in a world in which we know there’s no 100% guarantee of security. You have to assume in your planning that that bad actor is going to get in with their malware and you’re going to be in a ransomware situation. And now, what are the plans and the processes and the things you have in place to be able to operate in a degraded fashion, to be able to continue to provide essential goods and services. And the federal government can play a role there in helping both, within the federal government to increase its own resilience, but also to help those state, local, territorial and tribal governments and businesses.
Tom Temin And what are some of the top line things that governments, agencies, any kind of organization serving the public needs to have in its toolbox for resilience?
Suzanne Spaulding So you need to have that continuity of operations planning, continuity of business planning. And that requires that you bring in not just your IT people, but your full team, your operational folks, your communications folks, your financial folks, your billing folks. All of those people who are essential to your business need to be part of that planning, because they’re the ones who are going to have the insights both into the consequences, but also into the ways in which you can mitigate those consequences. I often say that, your IT people, as brilliant as they may be, really are probably in no better shape to tell you about the impact on your business or your mission essential functions of a successful cyber attack than an electrician is to tell you the impact on your business if the power goes out.
Tom Temin We’re speaking with Suzanne Spaulding, senior adviser for Homeland Security at the Center for Strategic and International Studies. It sounds almost as if, in some cases, you need to keep paper backup.
Suzanne Spaulding They need to think about analog solutions, in many instances to this very technical threat that we face and risk that we face. And the federal government can help in a number of ways. Congress, first of all, can provide adequate funding for the kind of analysis that we need, that, for example, the National Risk Management Center at my old shop at [Department of Homeland Security (DHS)], now I’ve called CISA, the work that they do to understand consequences, understand interdependencies, and the prospect for cascading consequences, in which are the functions that, if disrupted, would have the greatest impact. That’s essential for prioritization. We need Congress to, when it’s passing something like the Infrastructure Act, to rebuild our infrastructure across this country and update and upgrade our infrastructure to provide the funding needed to build in resilience. We talk about secure by design. We should be thinking about resilience by design as well. So those are things that the government can do. We can provide, CISA can provide templates for that planning. Who needs to be involved? Here’s the checklist, here’s how you do that continuity of operation planning. And sector specific agencies can do the same and provide analysis on understanding consequences.
Tom Temin And one of the connected factors in the report was the supply chain. And increasingly, cybersecurity is a function of supply chain security, fair to say?
Suzanne Spaulding Absolutely. And the supply chain section is outstanding. Breaks down what are the various categories of threats to the supply chain, which is a great analytic tool for trying to get your arms around it. And then some very interesting practical suggestions for how we might build greater resilience in the supply chain, including things like having digital twins as a kind of backup or supply chain disruption, and even something called a digital seed bank.
Tom Temin And that is what exactly?
Suzanne Spaulding Well, we think about the traditional concept of a seed bank. If plants become extinct, we’ve saved some seeds to have a third party, perhaps a repository of critical digital components and software, etc., so that if that supply chain is disrupted, we can go to that seed bank and that might allow, for example, for domestic production of the needed digital tools and components.
Tom Temin So you almost need to keep those artifacts, which gets to the issue of backup and recovery itself. Is that, I wonder, becoming a bit of a lost art as people presume their cloud providers will take care of all of that?
Suzanne Spaulding Well, one of the key things that folks need to think about in the context of backups, I work with a lot of companies and often ask them, do you have all your data backed up? Oh yeah, we’ve got it backed up. Have you ever tried to use that backup data? Well, no. And that is a challenge. That is something that is not automatic or easy. And so companies need to not only know they have secure backup that is in fact, completely separate and distinct from their network so that it is fully backed up to that they have exercised using that backup data. So backups are important, but you can’t assume that you’ve got that taken care of. Exercise it, even if your backup is in the cloud, exercise using periodically on a regular basis, use your backup data.
Tom Temin Sure. Just to make sure the old bag of flour is still fresh, I guess, if you’re going to make a cake. And this report now is extensive, it’s long and it covers those four areas. A lot of people at CSIS worked on it. What happens to it now? How do you make it not just another Washington report?
Suzanne Spaulding Well, we did have a roll out event. And I would encourage folks who want to see the great conversations with outside experts we brought in to discuss this, go to CSIS.org. We are briefing the government, elements of the government on the report and having conversations about how it applies to the work that they’re doing. And I’m out talking to businesses all the time about the importance of resilience. I have long before this report and will continue to do so.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED