Cybersecurity: New Regional Incident Response Planning System

By Eric Yancy

Technology touches every aspect of our lives. Devices protect our homes, help us stay connected, and give us access to a wealth of knowledge that can be as easy as speaking to a digital assistant.

As we increase our dependency on technology, we also increase our exposure. There seems to be an endless supply of headlines detailing the latest attacks on our critical infrastructure, causing service disruptions, costing millions of dollars, and even being attributed to the loss of life as hospitals are forced to turn patients away.

This dependency doesn’t stop inside our data centers. If you have experienced a cyberattack recently, you know firsthand how quickly a localized event can expand to include multiple jurisdictions. If you have been fortunate enough only to experience an incident during your annual tabletop, then the August 2019 ransomware attack against 22 Texas cities can provide context.

The hard truth is that we can no longer afford to have an isolationist approach when responding to a cybersecurity incident.

To be clear, I am not putting down the multiple incident response frameworks and templates that have been made by various three- and four-letter agencies. I am not even disparaging the use of that internally developed plan that hasn’t been edited since Y2K. I am merely suggesting that these plans have limitations if an event expands beyond an organization’s infrastructure, irrespective of how colorful the binders are. To quote Douglas MacArthur:

“No plan survives first contact with the enemy.”

The August 2019 ransomware attack was a “call to action” for the North Central Texas Council of Governments (NCTCOG). After receiving project approval and grant funding from the Department of Homeland Security, the committee partnered with a leading consulting firm after vetting numerous RFP respondents. From the very start of the project in October of 2020, the committee was committed to creating a response system both IT and Emergency Management can understand, is easy to scale (think NIMS ICS), and would be available to the entire State, Local, Tribal, and Territorial (SLTT) community. After a year of work, the result is the creation of a regional “Incident Response Planning System” (IRPS).

A sneak peek of the IRPS will be provided during the TAGITM Regional Conference on December 8. This is a chance for IT and EMOs to start thinking about the system’s benefits in anticipation of the official launch on December 31. If nothing else, hopefully, this will facilitate a critical view of organizations’ existing response plans and a candid discussion on its efficacy at scale.

The NCTCOG committee understands that the regional IRPS will lose significant value without broad adoption and continuous improvements. To avoid “taillight support” (support ending with the vendor’s taillight), the re-launch of the TAGITM Cybersecurity Committee will be timed with the launch of the IRPS. The Cybersecurity Committee will provide a platform to receive feedback and to improve and update the system continually. Stay on the lookout in the TAGITM Listserv for information about joining the TAGITM Cybersecurity Committee, or feel free to reach out to me directly. In the spirit of optimism, I leave you with the following quote:

“For I know the plans I have for you, declares the Lord, plans for welfare and not for evil, to give you a future and a hope.” Jeremiah 29:1

Eric Yancy is the Information Security Officer for the City of Denton, Texas.