When disaster strikes, protecting data is just as important as the distribution of first aid, shelter, and food.
At “Connectivity and Cyber Safety in Natural Disaster Zones,” a panel discussion held on Jan. 11 at the 2018 International Conference on Cyber Security, panelists discussed the best strategies for promoting cybersecurity in the most chaotic, challenging environments.
Jake Schmitter, senior manager, North American Electric Reliability Corporation; Adam Marlatt, founder, Global Disaster Immediate Response Team; Keith Robertory, Director Embedded in FEMA, American Red Cross; Michael R. Singer, assistant vice president, and executive director of technology security at AT&T; and Ron Snyder, senior network engineer, Cisco Tactical Operations.
Trusted partnerships between technology firms and nongovernmental organizations that have been established before natural disasters strike are key, said Robertory. When he was in charge of disaster technology for the Red Cross, he often called telecommunications firms’ emergency teams for help. Although their standard spiel was that they couldn’t direct their priorities, Robertory said there were ways to cut through the red tape by emphasizing the critical needs and players.
“Knowing what your partners can do and cannot do is very important.”
During natural disasters, Robertory said “trying to make things easier for disaster survivors may also make it easier for hackers.” He cautioned that privacy pitfalls await well-intentioned efforts to help reunite displaced people, especially when their status and addresses are made public when they sign in to verify their safety after a disaster. For this reason, he noted that the Red Cross’ Safe and Well system doesn’t reveal a person’s location or any personal information.
“You have situations where landlords say ‘You need to tell me you registered for assistance, prove it by giving me your number.’ Then they can change the routing where the financial assistance goes,” he said.
Singer said a new development called “mobile key” holds promise for safeguarding personal information, especially for rescue workers who have access to command and controls, he said.
“You can look at a lot of things about how a person might hold a device, unlock a device, maybe put a certificate on the device. As you build up more and more things that can check, it builds your confidence that yes, that’s the right person, so let them take the next action,” he said.
Preventing disasters from happening in the first place is equally important, said Schmitter. The 2013 North American blackout was caused in part by human error and failure to follow proper procedures. To prevent it from happening again, the industry holds a large-scale exercises, dubbed “gridmageddon,” where every bad thing that could possibly happen within a two-day period is simulated.
“When the industry has an incident, how do they respond? And how do they reach beyond themselves when they’re in a situation that’s overwhelming?” he said.
“Do they have those preexisting relationships so that when bad things do happen, they know exactly the capabilities they can ask for, what the requirements will be, and how to get power back online as quickly as possible?”
Talk of power grids led to the plight of Puerto Rico after Hurricane Maria. Robertory said it’s difficult to convey how challenging it is to bring power back to the island. High-tension electrical wires in the United States are separated by wide right of ways, for instance, while many in Puerto Rico are not. So in some mountainous regions, it’s easier to reinstall poles by helicopter than by truck.
And, he said, you have to remove the existing infrastructure first.
“There’s a lot of good work going on in Puerto Rico, but it is simply overwhelming.”