The routines of people across the globe stand significantly altered as we continue to adjust to a “new normal” in the face of a pandemic health threat. While much of the conversation surrounding COVID-19 is rightly focused on limiting its spread, some discussion also aims to consider whether we had appropriately planned for such an event — not just within federal or state governments, but as organizations, communities and individuals.
Unfortunately, consideration of “were we prepared?” is often triggered only by experiencing a systemic shock so severe that it is all too easy to identify areas for improvement. On the flip side, it is the systemic shocks we don’t experience — and the ones that are successfully limited — that highlight the payoff of preparedness, if we only knew to make the connection.
In a health threat, the indicators are all too visible. We experience the impacts socially and economically, across education and entertainment, as we work and shop, and within our networks of family and friends. We know something significant has happened, because at some level, it is happening to us.
Yet when we seek to prepare ourselves for threats in the digital world, the impacts seem distant, if not altogether unreal. For some, this is because we struggle to make connections between our cyber and physical worlds. Others may feel cyber hygiene is someone else’s responsibility — be it an internet service provider, a network administrator or even a more tech-savvy family member. And perhaps most importantly, it is because we have yet to experience a cyber threat with wide-ranging impacts to our daily lives.
In any case, we can’t wait for that to happen before we consider our preparedness at all levels.
Public health preparedness and cybersecurity preparedness have a lot in common. For example:
We must account for the interconnectedness of our networks when developing prevention and response plans. In public health, we see the need for “social distancing” to limit exposure. In the digital realm, this is typically evident when an organization fails to effectively coordinate with another, enabling the threat to spread. Think how the intrusion at Sony Pictures quickly spread to contacts within its corporate and personnel networks.
Awareness in the absence of active threats is critical. By the time a virus has captured media attention, we’re already in mitigation mode. With cyber threats, the weakest link is often an individual. A lack of cyber hygiene can undercut the best-laid organizational security plans and compromise entire networks.
Effective communications for incident response requires advance coordination. Whether responding to a viral outbreak or a network intrusion, communications are inherently reflexive and unlikely to reach every audience. Only by developing shared communications expectations and protocols can we be ready when stresses hit.
Recognizing symptoms early can make the difference between containment and an outbreak. Just as we have adopted a heightened sensitivity to runny noses and coughs recently, we need to consider that mindset when triaging cyber alerts. A malfunctioning pipeline sensor could be a “one-off” — or the first of escalating indicators that would be identified only through effective coordination.
With these principles in mind, organizations across South Carolina are engaged in a multi-tiered initiative with federal, state, and international partners to strengthen our shared preparedness to potential cyber threats.
The University of South Carolina recently hosted dozens of representatives from government and industry to discuss their organizations’ response plans. The exercise, facilitated by a team from the U.S. Army Cyber Institute at West Point, enabled participants to weigh a series of potential threats — all based on real-world scenarios — and share their approaches to explore our community’s collective preparedness and resilience.
The event identified areas for improvement and highlighted best practices from organizations, including the State Law Enforcement Division, which plays a lead role in orchestrating unified response activities.
This event was a first step in a series designed to strengthen awareness, relationships and plans so we can more effectively respond to tomorrow’s threats. It’s critical that we not only maintain this initiative but also inculcate it at the level of every individual.
In the months to come, few among us will feel that our lives have gone unchanged as a result of COVID-19. I’m proud to say South Carolina is putting in the work now to ensure we’re better prepared to face cyber threats — and we’ll know we’ve succeeded when our lives feel unchanged by them.
Robert L. Caslen is the 29th and current president of the University of South Carolina.