After a cyberattack forced a local Alaska government to disconnect its computer systems from the Internet this summer, employees were ready with a Plan B. They picked up pens and paper — and even resorted to typewriters — so that the government could continue its daily work, from collecting property taxes to checking out books at public libraries. They had practiced for this kind of scenario, which helped ensure the multipronged malware attack did not grind public business to a halt, said Eric Wyatt, the Matanuska-Susitna Borough IT director. “Having these plans and being able to go to paper and pen and manual methods was very helpful,” he said. “We could keep our doors open and continue to provide service to our citizens.” The focus of government cybersecurity has largely centered on developing cutting-edge solutions — and shoring up basic vulnerabilities — to prevent attacks on IT systems. But as more and more government business moves online, there’s a growing call among security pros and government officials for a different, albeit slightly more fatalistic, approach. Public agencies, this cohort says, should just assume they will be hacked — and practice how to carry out essential functions without Internet access or even computers in some cases.
“Assume the worst,” said Suzanne Spaulding, who was undersecretary for the Department of Homeland Security’s National Protection and Programs Directorate — the agency’s cybersecurity arm — in the Obama administration. “Assume that your adversary has gotten through all of your defenses and has figured out how to cause this kind of disruption where you may, for example, lose access to all the things that you rely on in the networked world, and how could you proceed.”
Kevin Mandia, chief executive of the cybersecurity firm FireEye, advocated for such an approach during a congressional hearing last month on homeland security threats.
Mandia wants senators to “require government agencies to develop and carry out continuity-of-operations plans that practice, even for just 24 hours, going without Internet connectivity while continuing critical functions.”