This post is an excerpt from our recent report with DLT and Symantec, The Plan for Recovering from Cyberattacks in Government Today. To read the full report, head here.
On May 11, 2017, the president signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which outlines actions to enhance cybersecurity across federal agencies and critical infrastructure partners, including guidance on how best to respond to a cyberattack. The fiscal 2019 budget also highlighted integrating cybersecurity in all aspects of government technology.
But even though it’s in the president’s Executive Order and is a requirement, federal agencies often overlook the recovery step of a cyberattack. Given all the energy that agencies must put into detecting, defending and responding to an attack, this omission is understandable, but today more than ever, recovery is critical.
“Think about a fire in your house,” said Durbin. “You do many things to protect your house from a fire, such as installing smoke alarms. If a fire does take place, you know how to respond by planning an exit strategy, and putting the fire out. But have you considered the steps for recovery? Is the house livable? Can you still use it? How will you better stop the fire next time? That’s where recovery comes in.”
Developing a recovery plan and adhering to it is critical for agencies, because this function seeks to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that a cybersecurity event has impaired. It also supports timely recovery to normal operations to reduce the impact from a cybersecurity event.
“It’s not enough in a cybersecurity incident just to respond and do immediate triage,” said Maclean. “You need to get back to normal, and you need a plan for future recovery so you’re not just making it up as you go along – which could eventually make you susceptible to another cyberattack down the road.”