全球智库信息集成服务系统

Various factors may make responding to a significant cyber incident more challenging

• The preparations for significant cyber incidents in comparison with terror attacks, natural hazards, and public health emergencies are more complex due to the low likelihood of advanced warning, the high degree of uncertainty around an incident's scope and scale, the relative inexperience with responding to significant cyber incidents, and the high degree of diversity across responder groups.
• High uncertainty in the early stages of a cyber incident can make initial interventions difficult to calibrate correctly because the vectors that lead to a standard cyber incident and a significant cyber incident are often similar.
• The timing of an incident and the potential for multiple attacks can also pose challenges for responders, who may find it more difficult to coordinate as the cyber incident unfolds.

The disparities in response capabilities among entities — both public and private — are also a consideration for cyber incidents

• Domestic cyber incident response still largely depends on voluntary coordination and cooperation between U.S. public and private sectors.
• The U.S. response to natural hazards is built on decades of operational experience, while terrorist and significant cyber incidents are less frequent.
• Despite efforts to establish processes for cyber incident response, the lack of experience in exercising those mechanisms in a robust manner means that it remains unclear how successful those efforts will be once implemented.
• Some affected entities may not wish to share information on an incident, whether because of concerns over legal liabilities, reputational impact, or other factors.

Cyber incident response has evolved based on systems and processes developed for other types of incident response, such as response to natural hazards. Large-scale cyber incidents that would have an impact on the United States' national and homeland security, economic security, and public safety and welfare to date are rare. However, they may have additional complications that make them more complex to plan for, including challenges in distinguishing the early stages of a significant cyber incident from a more quotidian incident, and the diversity of stakeholders involved. In this report, RAND researchers compare and contrast incident response for cyber and other types of hazards, both human-caused and natural, to derive initial insights into their similarities and distinctions. The report suggests some ways to improve preparedness for cyber incident response and propose additional areas requiring further research. Recommendations include developing more rigorous and dynamic joint public-private exercises, conducting further analysis to identify how systems could fail through a cyber attack to inform early warning efforts, and developing decision mechanisms and shared understandings that will facilitate coordinated activation and execution of incident response plans.

• Chapter One

  Introduction

• Chapter Two

  Key Features of Non-Cyber Incidents

• Chapter Three

  Life Cycle of Significant Cyber Incidents

• Chapter Four

  Cross-Incident Analysis

• Chapter Five

  Recommendations and Areas for Future Research