By APCO’s Technology Team
It is our intent to deliver timely, actionable information to APCO members through this site and to provide you with tools and information to keep your agencies and organizations as secure as possible. For those of you who work in the cybersecurity field, you are well familiar with the adage “it’s not if you’ll be attacked, it’s when.” For those to whom cybersecurity is relatively new, don’t let that phrase scare you off, it’s simply an expression of the reality we all face in a digital age. Because of this reality, it is increasingly important that staff at all levels of an organization understand that cybersecurity is everyone’s responsibility.
This website, along with other cybersecurity offerings, seeks to assist APCO members in identifying and mitigating the risks from cybersecurity incidents. It is important that every agency or organization develop guidelines on establishing effective cybersecurity strategies to include training, awareness, and incident response programs. The primary focus of this site will be to provide information that should assist with detecting, analyzing, and responding to incidents. This information is not mean to be kept close to the vest. Information sharing, strategic planning, and a willingness to engage in the process are part of everyone’s responsibilities. The weakest link can be anyone, or anything, and can happen at any time. Only by working together as teams, sharing information, and being willing to learn from our mistakes, and share those learned lessons with others, can we be successful in the ongoing battle to secure our networks and systems.
To that end, I would like to share with all of you a few suggestions based on how APCO approaches cybersecurity incidents as an organization.
A cybersecurity incident is defined by the Department of Homeland Security as an occurrence that:
(A) Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or
(B) Constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.1
An incident could be either intentional or accidental in nature.
Examples of cybersecurity may include, but are not limited to:
- An incident in which an attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
- An incident in which users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
- An incident where an attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
- An incident where a user provides or exposes sensitive information to others through peer-to- peer file-sharing services.
Unfortunately, successful incidents similar to those noted above have occurred across the public safety landscape. These incidents can cause financial and reputational harm, disrupt daily operations, and create compliance issues with state and federal laws.
Sharing information, getting everyone engaged, and establishing cyber incident response capabilities helps personnel to minimize loss or theft of information and disruption of services caused by cyber incidents. Incident response capabilities also build institutional resilience. Information gained and lessons learned during incident handling can help better prepare for dealing with future incidents.
One of the elements of APCO’s internal technology mission is to provide, secure, and maintain information systems, allowing the Association to accomplish its mission. This same approach can work for organizations of any shape and size.
Timely and thorough action to manage the impact of cyber incidents is a critical component of the response process and it takes everyone being involved for a response plan to work. The response should limit the potential for damage by ensuring that actions are well known and coordinated. Cyber incident response goals can include:
- To protect the well-being of the agency and community.
- To protect the confidentiality, integrity, and availability of agency systems, networks and data.
- To help personnel recover their business processes after computer or network security incidents.
- To provide a consistent response strategy to system and network threats that put data and systems at risk.
- To develop and activate a communications plan including initial reporting of the incident as well as ongoing communications as necessary.
To achieve these goals, APCO has adopted security best practices derived from standardized incident response processes such as those published by the National Institute of Standards and Technology (NIST) Special Publication 800-61 and other authorities.
The specific incident response process elements that comprise the APCO Cyber Incident Response Plan include:
- Preparation: Maintaining and improving incident response capabilities and preventing incidents by ensuring that systems, networks, and applications are sufficiently secure.
- Identification: Confirming, characterizing, classifying, categorizing, scoping, and prioritizing suspected incidents;
- Containment: Minimizing loss, theft of information, or service disruption;
- Eradication: Eliminating the threat;
- Recovery: Restoring computing services quickly and securely; and
- Post-incident activities: Assessing response to better handle future incidents through utilization of reports, “Lessons Learned,” and after-action activities, or mitigation of exploited weaknesses to prevent similar incidents from occurring in the future.
While this is only a small sub-set of the APCO Cyber Incident Response Plan, we hope that this information at least provides a starting point for your agencies and organizations. As you can see from this brief description of what is required, everyone’s input and participation matters. From the frontline public safety telecommunicator who will likely be the first to notice initial attack signs, to the supervisors who will make the first call on responding, to management and IT professionals who ultimately hold responsibility for technical response and overall management of incidents, everyone is involved and everyone has responsibilities.
APCO hopes to help our members and your agencies stay informed and be prepared through this new website and through our ongoing efforts via other media. By sharing information, lessons learned, and innovative ideas related to cybersecurity APCO members can help each other, and our public safety communications community as a whole. On behalf of APCO, we welcome you to the new website and we look forward to working together to keep our profession informed and secure.
1 From www.whitehouse.gov/sites/default/files/omb/legislative/letters/coordination-of-federal-information-security-policy.pdf – 44 U.S. Code § 3552