“Cyber incidents are a bit like a bar brawl – you might have a pretty good idea who started it, but you will never be absolutely sure”.
When it comes to managing contemporary cyber incidents and crises, the above statement couldn’t be more accurate. National cybersecurity strategies and international regimes are not only becoming increasingly common, they’re also proving difficult to implement and enforce. In this respect, some of the most pressing concerns are associated with key cybersecurity aspects like ‘terminology’, ‘perspective’ and ‘attribution’.
Crisis vs. Emergency
When it comes to terminology and definitions, the cyber realm undoubtedly suffers from the same type of problems as other domains. For instance, one look at a newspaper will often reveal the very liberal use of the word ‘crisis’. However, this ubiquity yields little clarity about what actually constitutes a ‘crisis’ and how these are different from ‘emergencies’. For purposes of clarification, an ‘emergency’ is a situation that can be handled via business continuity management procedures in the private domain or, in the case of the state and public sector, the emergency and security services. Emergencies should not result in any mid- or long-term damage to critical infrastructures or societies. However, should the aforementioned procedures and resources prove to be insufficient or ineffective, then the potential exists for a ‘crisis’ to develop.
Crises usually occur as a result of unfolding dilemmas and events. A lack of capacities or capabilities often means that extraordinary measures are required to deal with increasingly uncertain and unstable conditions. In this respect, uncertainty is typically caused by information deficiencies that complicate efficient decision making. A lack of quality and reliable information, in turn, complicates a decision-maker’s ability to respond to events in an appropriate and timely manner. Slower response times risk increased financial costs, a loss of public trust and confidence, as well as mounting pressure from the media, civil society and other stakeholders. In severe cases, this can result in profound reputational damage.
Consequently, the challenges associated with crisis management in all domains can be attributed in no small part to the complexity of modern society. In this respect, social networks, a growing number of media outlets, the relative ease of travelling and other factors all help to ensure that today’s crises are typically of a complex nature, and information about them (or lack thereof) is quite often contradictory. Moreover, the variety of stakeholders and vested interests that can be attributed to a crisis undoubtedly complicates institutional responses and solutions. Competing political interests by their very nature tend to slow down decision-making processes.
A Question of Perspective
This immediately feeds into problems associated with ‘perspectives’. Making sense of a situation and taking appropriate actions tends to be influenced by psychological phenomena like group thinking and cognitive dissonances – and responding to cyber ‘crises’ is no different. For instance, many private sector actors frame cyber crises as ‘extended business continuity management situations’. By contrast, international organizations tend to classify a cyber crisis as a strategic issue with global implications. And let’s not forget that states are likely to view a potential cyber crisis as a matter of national security with severe ramifications for critical infrastructure and populations.
One way to overcome this divergence of opinion might be to restrict the use of the term ‘cyber crisis’ for the most severe cyber ‘incidents’. Apart from clearing up any misunderstandings, a clearer definition as to what actually constitutes a ‘cyber crisis’ might also result in a quicker and better coordinated response to the crisis at hand. This might even help to promote ‘best practice’ and information sharing between academia, public institutions and the private sector.
Handling Cyber Incidents and Crises: The Attribution Dilemma
The perception that a ‘cyber crisis’ is basically the same as a general crisis (albeit with a cyber- component) is common. The same can also be said of comparisons between managing a ‘cyber crisis’ and general crisis management. For instance, the Swiss National Cyber Security Strategy does not use the term “cyber crisis” as such, but promotes instead “national crisis management for crises with a cyber-characteristic”. This statement, in turn, implies that managing a crisis isn’t scenario-driven, but process-oriented. In addition, a crisis only becomes a ‘crisis’ once it exceeds the capabilities of emergency responses and requires decision making on a strategic level. However, this perspective isn’t uncontested. There are several issues concerning the assumptions implicit in this broader conception that merit further consideration regarding cyber-related incident and crisis scenarios:
- It fails to address the need for increased stakeholder coordination and cooperation in the context of interdependence and connectivity between the public and private sphere in the cyber domain, as well as the centrality of information systems in modern society
- It overlooks that stakeholders might not share the same goals and priorities when dealing with a ‘cyber crisis’
- Not only might the availability of information be compromised, but also its confidentiality and integrity
- A ‘cyber crisis’ is likely to be more dynamic than a conventional crisis. For example, a malicious actor may use stolen information to escalate or steer a crisis according to their goals, giving it an element that might not exist in a typical non-cyber crisis
Finally, as Rid wrote: “Intention may be the only line separating the attack from the accident.” Determining who was responsible for the attack and his/her motivations (“personal attribution” and “motivation attribution”) is undoubtedly a complex and time-consuming task. However, having time to think long and hard about these factors is not usually an option during a crisis situation. Consequently, the logical implications of attribution difficulties in a cyber ‘crisis’ include increased pressure, higher costs and the possible escalation of what was once thought to be a ‘normal’ crisis situation into something even more complex.
Two trends regarding cyber-security are noteworthy within the context of managing cyber ‘emergencies’ and ‘crises’: the increasing sophistication of cyber-attacks and the substantial capabilities of nation states in the cyber domain. These two aspects alone increase the potential for cyber-incidents to develop into full-blown cyber-crises. Fortunately, there are ways to address the issues related to the management of these ‘events’. The establishment of collaboration networks, formulation of common terminology, and other confidence building measures will help to address some of the ambiguity associated with cyber issues. Additionally, increasing knowledge and experience in dealing with cyber-incidents will help establish functioning response procedures. Enhancing an organization’s intelligence and investigative capabilities is another key factor – both in the private and public sectors. Ultimately, these ‘counter’ strategies imply that the most effective responses to cyber crises need to be well organized and supported by strong internal situational awareness. Failure to implement these mechanisms to tackle cyber-related and non-cyber related challenges could result in the creation of a crisis ‘from within’ that exacerbates the external pressure coming from the original ‘event’.
Michel Herzog is a researcher in the field of critical infrastructure protection and cyber-security in the Risk and Resilience Research Group at the Center for Security Studies (CSS). His main research interests are the management of political risks, early warning and crisis management, especially in the field of critical infrastructure protection and cyber-security.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.