Cyber Response Assumptions Part III - No Traditional Boundaries in Cyberspace

Let's consider a hospital triage unit. Their job is to prioritize patients based on the severity of their condition, and to ensure that those in need of immediate attention get it quickly, while delaying attention and treatment to those less-critically injured.  To make a long story short, a patient with a broken arm arriving to a triage location at the same time as a patient in cardiac arrest will likely not receive attention until after the more severely injured patient receives care. It's a relatively well defined, easy to follow system. Of course, there are debates about how to classify certain types of injuries - but those are more related to specific details - the process itself is quite well accepted. One may debate that a ruptured appendix is a 'Class 2' vs. a 'Class 3' case - but few would debate that such a patient should be seen after someone with a splinter in their foot.

This format works well in a situation where all arriving patients are considered to have the same 'level of importance.'

It's not that easy in a cyber response. Let's consider the next assumption:

- Assumption #2 - Not all Critical Infrastructures are going to receive equal priority. The long and short of this is that there are simply too many sectors and components of the critical infrastructure for equal treatment and priority to be delivered to all of them simultaneously. So there is/should be a hierarchy within even the select Critical Infrastructure sectors.

When the number of responders in exceeded by the number of points which require response - even in the segment defined as 'critical infrastructure' - something has to give. It may not be physically possible to perform detailed response/recovery/restoration across all of those critical infrastructure organizations impacted by a cyber disaster. In fact, it's almost a guarantee that it will be impossible to actively work on all those sectors/agencies/companies simultaneously, even in the critical infrastructure space.

That means that the only reasonable way to approach the critical infrastructure is to create what is essentially a prioritization and hierarchy within it. Sounds reasonable.

Consider for a second the list of sectors deemed 'critical infrastructure' and the agencies which are responsible for working to ensure continuity of operations.

• Agriculture and food (Department of Agriculture, Department of Health and Human Services, Food and Drug Administration)
• Banking and finance (Department of the Treasury)
• Chemical (Department of Homeland Security)
• Commercial facilities (Department of Homeland Security)
• Commercial nuclear reactors, materials, and waste (Department of Homeland Security)
• Critical Manufacturing (Department of Homeland Security)
• Dams (Department of Homeland Security)
• Defense industrial base (Department of Defense)
• Drinking water and water treatment systems (Environmental Protection Agency)
• Emergency services (Department of Homeland Security)
• Energy (Department of Energy)
• Government facilities (Department of Homeland Security)
• Information technology (Department of Homeland Security)
• National monuments and icons (Department of the Interior)
• Postal and shipping (Department of Homeland Security)
• Public health and health care (Department of Health and Human Services)
• Telecommunications (Department of Homeland Security)
• Transportation systems (Department of Homeland Security)

What a list that is - and it really gets the mind thinking about coordinated response across those sectors by those agencies. Is DHS staffed to be the primary responder for 10 of those concurrently? And if not, how do they prioritize Nuclear Reactors vs. EMergency Services vs. Telecommunications?

I suspect there is movement in the response coordination world to start to draw priorities within the critical infrastructure sectors themselves. If not, that old Air Force adage applies again: 'If everything's a priority, nothing's a priority.'