By Jeff Greene, Senior Advisor, Cybersecurity Programs, Aspen Digital, and Sezaneh Seymour, Vice President and Head of Regulatory Risk and Policy, Coalition
In March, the Administration issued an Executive Order titled “Achieving Efficiency Through State and Local Preparedness.” In addition to directing the federal government to shift more responsibility for resilience and disaster response to the states, the Order calls for the federal government to move from an “all-hazards” to a “risk-informed” approach to risk management. Under the traditional “all-hazards” model, preparing for a wide range of potential disasters means developing broad institutional capabilities such as response frameworks, training, and coordination mechanisms that can be flexibly applied to almost any crisis, even if imperfectly. By contrast, a “risk-informed” approach would focus resources on those scenarios deemed most severe and likely, concentrating preparedness efforts on specific threats at the expense of generalized cyber readiness. Why should this matter to cyber policy professionals – and how can governments at all levels implement this change in a way that makes our country more digitally resilient?
The starting point is simple: we must accurately identify risk if we want to be able to mitigate it.
Persistent Challenges for Cyber Readiness
Governments and the private sector have decades of experience identifying and prioritizing risk from natural events – and centuries of data to use in that effort. But identifying and ranking cyber risk is notoriously difficult because the probability and the severity of consequences are often difficult to predict. The most severe disruptions often produce second- and third-order effects that impact not just public institutions, but also private businesses and citizens. Moreover, the threat landscape is always changing because our adversaries constantly adapt their attack methods in response to our preparations. Put differently, a hurricane does not learn from past “failures” and change its track to avoid our preparations – but cyber attackers do.
Effective state planning will require continued federal involvement and robust information sharing. While every state has digital risk, the federal government possesses unique insights into the specific and aggregate risks that states may lack. Much of this comes from the functions that states do not – and cannot – perform, most obviously foreign intelligence collection.
State, Local, Tribal, and Territorial (SLTT) governments face significant obstacles in accurately assessing digital risks, shaped in large part by three persistent realities.
This piece is part of an Aspen Digital series of perspectives on the evolving space of intergovernmental cyber policy, including challenges and best practices for building state, local, tribal and territorial capacity and how governments can collaborate effectively.
The views represented herein are those of the author(s) and do not necessarily reflect the views of the Aspen Institute, its programs, staff, volunteers, participants, or its trustees.