Escalating a cyber attack
If your house is on fire, you call the fire brigade. If your car breaks down, you call a mechanic. But who can you turn to when a cyber incident escalates?
Escalating an incident is an everyday ITIL Service Management process. Small issues are dealt with, and critical-severity incidents are quickly escalated up to the CIO or board.
But what do you do if an incident is so serious that it is beyond your standard operating capability?
Declaring a state of emergency
On a national or regional level, exceptional circumstances sometimes necessitate declaring a “state of emergency”. This is used by regions dealing with natural disasters like Australia’s massive bushfires or in response to infectious diseases like Coronavirus.
What about dealing with a major cyber incident?
In July 2019, Louisiana declared a state of emergency after ransomware hit three public school districts.
A state of emergency in Louisiana means state resources become available. This includes help from cybersecurity experts in the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and other state level authorities.
A month later, 23 Texas towns fell victim to coordinated ransomware attacks. The cybercriminals demanded cryptocurrency payment at the same time.
The mayor of one city said the attackers demanded $2.5 million in ransom. Another mayor said the attackers had hit the software provider that ran the city council's IT systems.
Whilst a state of emergency wasn’t declared, the Texas State Operations Center has been working around the clock since the attack. The Texas Division of Emergency Management, Texas Military Department, Department of Homeland Security and the FBI are also involved.
When can you escalate a cyber emergency and who to?
The private sector don’t have the opportunity to declare a state of emergency for additional resources to help deal with an attack. But there are bodies that we can call upon for assistance. There are many bodies you can contact, including the Police, NCSC and ICO.
Getting support from the NCSC
The National Cyber Security Centre (NCSC) is the UK’s cyber security authority. It offers “real-time threat analysis, defence against national cyber attacks, technical advice on cyber security, and response to major cyber incidents”. This includes guidance and resources, through to active involvement when needed.
The NCSC has 6 incident categories. These range from 6 – ‘localised’, to 3 – ‘significant’, to 1 - ‘national cyber emergency’. The resources available depend on the seriousness of the incident. For example, a Category 6 incident (a cyber attack on an individual or SME) has access to remote support and standard advice.
A Category 1 incident is a cyber attack causing sustained disruption of UK essential services or security. In this case, the NCSC, Law Enforcement, Lead Government Departments and other relevant bodies coordinate a response.
If your incident is isolated (and assuming you are not part of the critical national infrastructure) it is unlikely you will receive direct assistance. If the attack is more widespread – like the co-ordinated attacks in the US - the response may be led by NCSC.
When do you contact law enforcement?
The NCSC also has guidance on exactly this. Its advice is simple:
“…a cyber attack is a crime. Report to law enforcement via Action Fraud or through Police Scotland’s 101 call centre. The NCSC strongly encourage the reporting of a cyber incident; many go unreported because of personal embarrassment. However, if a cyber incident has been committed against you, someone else may have suffered a similar crime. The more individuals report, the more likely it is that perpetrators will be arrested, charged and convicted.”
Embarrassment is an underrated factor. If the data lost isn’t business critical, you may feel it’s best to brush the incident under the carpet and move on. That lack of reporting is a real problem in cyber security.
Contacting law enforcement is a requirement even if you don’t get support or any benefit for you directly. The benefit is for everyone else. The more we report, the better law enforcement can get a scope of the issue and help others.
When should you notify the ICO?
The reason for notifying the ICO is not to request assistance but to fulfil your regulatory obligation.
The Information Commissioner’s Office (ICO) states,
“… you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.”
This runs against the NCSC’s advice to report any incident, regardless of severity. The ICO urges pragmatism – who is in harm’s way? That can be staff or clients. But, if you choose not to report it, you need a reason.
The reason for this difference is the role of the ICO. Its purpose is to govern how information is handled with regulations like GDPR and the Freedom of Information Act – and isn’t limited to cyber-crime. It is only interested when information, particularly Personally Identifiable (PII) data is affected. Not all cyber-attacks constitute a breach or compromise of data. A DDoS attack will affect a business’s ability to function and is a crime, but data isn’t compromised so won’t necessarily require you to report it to the ICO.
The recent GDPR led to huge volumes of reports to the ICO. The ICO doesn’t want to receive reports of cyber-attacks that aren’t part of its remit. It leaves company Data Protection Officers to make a judgement on the risk to personal data. The DPO may judge that an incident doesn’t need to be reported to the ICO, but must still document the incident, their decision and the justification.
Tell your insurer as soon as you’re clear on the type of incident. This is important if you need to make a claim later - and they might provide assistance during the incident. Cyber insurance is a relatively new and rapidly growing field and often includes access to expert support to help with the response. That might be PR and crisis management professionals or cyber experts. It is obviously in the cyber insurer’s best interest to speed up the recovery and minimise potential claims.
If your insurance company doesn’t offer this type of support you would be wise to consider calling in third party experts for advice, resource and more hands-on-deck for your response.