More than a year after homeland security advisers urged the nation's capital to take action to counter significant cybersecurity risks, District of Columbia officials have yet to implement the recommendations and might not create a contingency plan for a catastrophic cyber attack as the panel advocated, according to Chris Geldart, director of the D.C. Homeland Security and Emergency Management Agency.
The D.C. Homeland Security Commission's 2013 annual report, released early last year, urged the District's leadership to issue a cybersecurity directive to establish a chief information security officer (CISO) position; to create a governance structure for addressing cyber risks and working with the federal government and industry; and to enumerate District agencies' roles and responsibilities.
Officials delayed development of the guidance last year due to the mayoral election and leadership transition, Geldart told Inside Cybersecurity in an interview. The District is working on a directive and hopes to issue it by the end of spring, he said.
“The need for such a directive cannot be overstated,” the commission wrote in its report. “The District is an urban area with great reliance on systems and functions that are vulnerable to cyber attacks including a complex overlay of federal and local government facilities and functions, as well as critical infrastructure under both public and private control.”
The District also has yet to implement the commission's recommendations to hire a full-time CISO; to develop a contingency plan for a cyber attack capable of causing a catastrophic loss of electrical power to the District for a week or longer; and to complete cyber risk assessments.
CISOs are in high demand in industry. There was no way to hire a competent person through the human resources process, so officials used a different process to conduct several rounds of interviews, Geldart said. The District plans to set up the funding stream needed to hire a full-time CISO and continue the job-candidate search, he said.
For now, however, the District has temporarily contracted out the CISO function for a six-month period to Science Applications International Corporation (SAIC), which was awarded a $150,000 deal spanning February to July, according to a spokesman for the Office of the Chief Technology Officer.
The District government has “not been able to move out on” the commission's recommendation to create a contingency plan for a cyber-attack scenario involving a catastrophic loss of electrical power, Geldart said. Although such a scenario has very significant consequences it is considered unlikely and therefore has not been the focus of immediate attention, he said. There are “no specific planning opportunities” anticipated on that front, he said.
The District has a lot of contingency plans for an array of different kinds of hazards, he said. Further, it has focused on improving the resilience of the power grid to better enable the system to fail gracefully and recover from failures in less time, he continued.
The commission's report acknowledged the unlikelihood of catastrophic cyber attacks but stressed they are not impossible and argued the great severity of the potential consequences warranted a formal contingency plan. “There are plausible cyber disruption scenarios in which the local grid could be disrupted for a period of time lasting longer than seven days,” the panel wrote.
The head of the U.S. military command focused on homeland defense recently told Congress that a future cyber attack on U.S. critical infrastructure has the potential to rapidly produce massive damage on a scale that outpaces any natural disaster on American soil. Further, a presidential advisory panel study aimed at improving planning for a worst-case cyber attack on the country warned late last year that "there exists no effective methodology that currently supports the rapid mobilization and coordination of critical commercial sector assets to respond to a large-scale incident of national security concern.”
Relying on industry's planning is not enough, the District's commission concluded. “Pepco is taking a variety of leading steps to minimize the possibility of experiencing operationally disruptive cyber attacks and the company has a very strong cyber risk management program,” the commission wrote. “However, perfect prevention of high-consequence attacks is not possible, even at great cost; therefore, the District needs to take steps to ensure its resilience in the case of such a scenario.”
The panel also urged the District to create and use a framework to conduct cyber risk assessments on systems and infrastructure and to prioritize actions and resources needed to address those risks. “The framework should acknowledge the interdependencies, relationships, and responsibilities between all District agencies involved in managing a cyber incident,” the commission wrote.
Geldart said the District has a sophisticated cyber infrastructure. But he agreed with the commission that the District needs to conduct a deeper-level cyber risk assessment. Officials plan to complete such an assessment in six to nine months, he said, noting the study will very clearly identify and explain cyber threats and hazards. – Christopher J. Castelli (ccastelli@iwpnews.com)