Bringing Cyber Security into Emergency Management

An Example from New York

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Brian Nussbaum
March 18, 2016

In August 2015, I had the good fortune to present at the New York State Emergency Management Certification and Training (EMC&T) Academy in Albany, NY.  The EMC&T is a unique program New York State runs to provide training, insights into state operations and professional development to state and local emergency management officials.  The areas covered ranged from continuity of operations and social media to emergency operations center procedures, terrorism and natural hazard threats.  I presented (along with colleagues from several state agencies) information on cyber threats and their implications for emergency managers and management.  Our panel could not have asked for a better reception. There were good – and pointed – questions, a robust discussion and a lot of thoughtful feedback.

That the organizers of the EMC&T included cyber security (and had in their previous iteration) is actually reflective of the thoughtful and wide ranging approach to emergency management that New York State is taking. It is no longer possible to engage meaningfully in emergency management or disaster response without thinking of cyber risks and information technology.  From wastewater facilities to transportation infrastructure, we have already seen small and localized disasters because of cyber attacks that result in real physical damage.  Recent alleged attacks of a more sophisticated and dangerous variety—such as the steel manufacturing facility in Germany and the electrical infrastructure in the Ukraine—demonstrate the threat more concretely.  In fact, we’ve recently seen suggestions that such an intrusion, although details are unclear, may have happened to a piece of locally run infrastructure in New York State. When you add in the myriad lower level cyber threats and distractions that can disrupt response or otherwise cause chaos, ignoring cyber threats is something emergency managers can only do at their own peril.

Some of the best scholarship on disasters and emergency management has come out of social science including the fields of sociology, psychology, public administration, organizational behavior, urban studies and geography.  This is because the social—individual, organizational and institutional behavior—is laced throughout each disaster and disaster response. Increasingly it is clear information technology too is destined to be laced throughout every disaster and response.  Luckily, those engaged in disaster response are both increasingly recognizing that and moving forward accordingly.

In a previous career (and what sometimes feels like a previous life) as an intelligence analyst, I spent a lot of time traveling around speaking to audiences of law enforcement officers, agency executives and first responders about threats such as al-Qaida, criminal organizations and espionage by nation-state hackers. In that time, there were two kinds of audiences that always seemed most engaged: public health and emergency management audiences.  This could be the result of the more “security” focused officials and practitioners having more previous exposure to the material. Perhaps, but I think it also has something to do with the nature of emergency managers and public health officials. They have a natural curiosity, a sense of the interconnectedness of many different hazards and systems and a desire to learn whatever they can in order to help those people they are tasked with trying to aid and protect.

Overall, if the goal is to build a nation that is more secure against cyber attack, one of the key constituencies that needs engaging is state and local emergency managers.  While that process is beginning nationally, and has made particular progress in some states like New York, such engagement is still a long way from being consistent and mature.

---

Author: Brian Nussbaum is an assistant professor of public administration at the Rockefeller College of Public Affairs at the University of Albany. He can be reached at [email protected]. 

(3 votes, average: 2.67 out of 5)
Loading...