Governors must now be prepared to respond to the growing threat of cyberattacks. States and territories count on experienced teams of public safety and emergency management (EM) professionals to prepare for, respond to and recover from natural and human-made disasters. With the integration of information technology (IT) into critical services, state and territorial officials must now expand their focus to consider the consequences of cyberattacks that have physical impacts and threaten public safety. Malicious actors have already shown a keen interest in targeting state and local assets. In 2016, a ransomware attack disrupted operations at the San Francisco Municipal Transportation Agency. The following year, malware shuttered the largest terminal at the Port of Los Angeles. In 2018, former Colorado Gov. John Hickenlooper declared a state of emergency — the first of its kind — after a ransomware attack infected 150 servers and 2,000 computers operated by the Colorado Department of Transportation (DOT).
This issue brief examines state cyber disruption response plans that governors are developing and testing in preparation for cyberattacks that demand coordination across state agencies. These plans detail the agencies that must respond to an incident, their roles and responsibilities (R&Rs), and how they will coordinate resources. This issue brief also examines how these plans align with the U.S. Department of Homeland Security (DHS) National Cyber Incident Response Plan (NCIRP), which establishes protocols to guide any federal and state response to a “significant cyber incident.” It concludes with recommendations for state leaders who are creating or revising their own response plans.
The National Governors Association (NGA) Center for Best Practices has identified 15 states with publicly available cyber disruption response plans. Among these plans, four were drafted after the release of the NCIRP. Older plans integrate federal policies and guidelines, such as the National Institute for Standards and Technology Cybersecurity Framework and the National Cyberspace Security Response System described in the National Strategy to Secure Cyberspace or a draft of the NCIRP.