Connecting state and local government leaders

Microsoft’s 5 Steps to Urban Cyber Resilience

Dallas, Texas

Dallas, Texas

 

Connecting state and local government leaders

If the Dallas hack taught us anything, it’s that cities are growing targets.

All 156 outdoor emergency sirens throughout the city of Dallas wailed for more than an hour last Friday night and early Saturday morning, the result of what officials said was a hack that forced the system offline and caused a flood of 9-1-1 calls.

The cyber breach revealed just how vulnerable cities’ information and communications technology is, especially when poor cybersecurity protocols are in place.

A natural disaster compounded by a cyberattack could prove devastating, which is why the emerging discipline of cyber resilience must be undertaken alongside urban resilience more generally.

“City leaders must plan for cyberthreats such as information theft, integrity breach or disruption of services and should also consider the likelihood of natural disasters in their regions such as earthquakes, floods or hurricanes,” wrote Paul Nicholas, Microsoft senior director of global security strategy and diplomacy, in a blog post. “Becoming cyber resilient can help lighten the load of uncertainty when one of these unforeseen events happens.”

Nicholas just released the white paper “Cyber Resilience: Digitally Empowering Cities,” which outlines five steps to securing cities.

It’s important to note the difference between cyber resilience and cybersecurity:

Cybersecurity is about protecting the confidentiality, integrity, and availability of data, ICT systems, and ICT infrastructure. Cyber resilience is about the ability of ICT systems to continue delivering their intended output in some form, even if cybersecurity is failing or has failed. Cyber resilience does not mean that operations and their supporting infrastructures will not fail, nor that a city is no longer vulnerable to cyberattacks—rather that it can adapt and recover from them. Innovating in a crisis is the true hallmark of resilience.

Step one is identifying key threats and gauging their potential effect on critical cyber systems and functions, followed by step two: prioritizing critical services.

From there, cyber resilience goals can be set and then capabilities can be tested. Those capabilities include readiness in the form of infrastructure risk management, disruption recovery and research; adaptive response during crisis; and reinvention of a city’s strategy based on successes and failures.

The final step is establishing roles and allocating resources, according to the report:

So during the process of defining roles, the city would identify a lead who would coordinate the response of all teams involved. Additionally, the city would need to ensure that it has other resources in place—for example, social media where citizens could receive updates from city officials, or even a backup website with bus schedules.

Cloud computing, the Internet of Things, machine learning and artificial intelligence all make peoples’ lives easier, but as they gain traction as a means to deliver city services they also increase the likelihood of a cyber breach. Long-term cyber resilience plans that take them into account will vary from city to city but are critical to continued economic development.

Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.

NEXT STORY Bill for ‘Sanctuary City’ Penalties Gains Steam at Texas State Capitol