Developing the ‘Protect and prepare’ cyber resilience response
Richard Berry, assistant chief constable at Gloucestershire Police, national policing lead for cyber ‘prepare’ and communications data
Although a recent development, civic resilience planning was developed for a non-digital age. Existing planning needs to be adapted to cope with the special considerations required for cyber resilience. Only then can we outline the areas for capability development needed for the local resilience forum (LRF) network.
The Civil Contingencies Act is legislation born out of threats from a predominantly non-digital age. Consequently, it can be argued that we should not seek to shoehorn analogue legislation and practices into cyber and digital challenges.
However, at this time there is very little mature understanding of what can be adapted from the wealth of ‘pre-digital’ resilience experience which presently exists within the UK and what should be ‘genuinely new’. Having been a gold commander in a real cyber incident I am more than aware of the problems which can be faced when responding to a cyber incident.
Cyber presents a number of key challenges for LRFs. These may include all or some of the following features:
- It can thoroughly disrespect any notion of geography and an emergency which can be easily defined to a particular locality.
- Events can be multi-seated between commercial and civil organisations.
- Cyber incidents require different responders, partners, and decision-making processes to the normal multi-agency responses, and civil liabilities can be very different.
- The responders themselves may be affected by the cyber attack thereby affecting their ability to provide support.
- The velocity of event can require sometimes near real time decision making as threats manifest in different ways with changes in needs.
- Managing responses between the real and virtual worlds can be complex and require refined coordination; ie between the technical conversations and the operational decisions.
- The networks required to protect, test, exercise and prepare are under developed.
- There is little locally meaningful threat discovery intelligence available which could inform LRF assessments and their statutory duty to ‘prepare’ and exercise.
This list is not exhaustive and at first sight it might be a little daunting. The key to success however is to develop a staged model of change:
- The preferred first stage of change being pilot project to ‘discover’, scope, develop and test resilience planning frameworks.
- The natural second stage is to provide the necessary briefing, development and progression of wider cyber resilience planning on the most suitable basis –regions, cities or nationally managed roll out projects. Once products have been developed these could be easily shared in order to optimise public benefit and value.
- A final third stage is testing and exercising, tying the LRF community into cyber ‘prepare’ events with industry and other central government bodies.
This three phased approach would requires leadership and organisation; it will need to work across the Department for Communities and Local Government and the LRF network, with strong engagement with policing and other stakeholding agencies. The sustainability of cyber civil resilience will also require learning and training events, incorporating cyber threat related capabilities into normal LRF business.
This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.