The Limits of Risk-Informed Planning for State and Local Cyber Readiness

In March, the Administration issued an Executive Order titled “Achieving Efficiency Through State and Local Preparedness.”  In addition to directing the federal government to shift more responsibility for resilience and disaster response to the states, the Order calls for the federal government to move from an “all-hazards” to a “risk-informed” approach to risk management. Under the traditional “all-hazards” model, preparing for a wide range of potential disasters means developing broad institutional capabilities such as response frameworks, training, and coordination mechanisms that can be flexibly applied to almost any crisis, even if imperfectly. By contrast, a “risk-informed” approach would focus resources on those scenarios deemed most severe and likely, concentrating preparedness efforts on specific threats at the pexpense of generalized cyber readiness.  Why should this matter to cyber policy professionals – and how can governments at all levels implement this change in a way that makes our country more digitally resilient? 

The starting point is simple: we must accurately identify risk if we want to be able to mitigate it.

Persistent Challenges for Cyber Readiness

Governments and the private sector have decades of experience identifying and prioritizing risk from natural events – and centuries of data to use in that effort.  But identifying and ranking cyber risk is notoriously difficult because the probability and the severity of consequences are often difficult to predict.  The most severe disruptions often produce second- and third-order effects that impact not just public institutions, but also private businesses and citizens. Moreover, the threat landscape is always changing because our adversaries constantly adapt their attack methods in response to our preparations.  Put differently, a hurricane does not learn from past “failures” and change its track to avoid our preparations – but cyber attackers do. 

Effective state planning will require continued federal involvement and robust information sharing.  While every state has digital risk, the federal government possesses unique insights into the specific and aggregate risks that states may lack.  Much of this comes from the functions that states do not – and cannot – perform, most obviously foreign intelligence collection.  

State, Local, Tribal, and Territorial (SLTT) governments face significant obstacles in accurately assessing digital risks, shaped in large part by three persistent realities.

1. Limited visibility and resources at the state and local level

SLTT governments lack insight into the cyber readiness and digital resilience across many critical digital systems in their jurisdictions because most are owned and managed by private entities.  While the federal government has spent decades developing robust public-private information-sharing frameworks with industry partners, such mechanisms are often absent or underdeveloped at the state level.  Conversely, the federal government has been able to leverage longstanding relationships, dedicated resources, and centralized authority to maintain situational awareness across critical sectors.  In contrast, SLTT governments, even in the best-case scenario, will need significant time and investment to establish these partnerships, and some may never have sufficient resources to do so absent federal help, leaving them at a perpetual disadvantage.

2. Cyber threats are evolving and unpredictable

Malicious actors constantly adapt their tactics, techniques, and procedures, making threats both unpredictable and deeply complex.  For decades, federal agencies have drawn from extensive global intelligence networks, sophisticated analytical capabilities, and dedicated teams focused solely on cyber defense, giving them a significant edge in tracking and adapting to emerging threats.  But SLTT governments do not have the legal authority or the capacity to replicate federal intelligence collection resources, and even more worrisome most also lack the analytical capability, organizational bandwidth, and technical resources needed to stay abreast of emerging threats.  As a result, many SLTT governments underestimate or overlook digital risk altogether. They will continue to need federal government support to understand state-sponsored actors’ intentions and plans, as well as adversaries’ actual prepositioning within critical infrastructure systems.  

3. Risk assessments that are fragmented across jurisdictions may mean certain risks are underestimated, leading to a false sense of security.

Cyber risks do not respect geographic or organizational boundaries.  If each of the 50 states and the myriad local jurisdictions take a narrow, siloed view of its own situation, all entities lose the opportunity to pool information and coordinate comprehensive regional responses.  This can lead to siloed risk visibility and a false sense of security – a city may assume that during a crisis it could rely on a neighboring jurisdiction’s systems and base its plans on this assumption.  This may well be true during isolated incidents but would not work in a regional or national event.  In contrast, the federal government aggregates data and intelligence on a national scale, and can recognize patterns that cross state borders.  The federal government will therefore plan to mobilize resources for a unified, large-scale response. This ability to see and act on the proverbial big picture is critical for effective cyber risk management and cyber readiness, because digital risk is aggregate and crosses jurisdictional lines.

This underlying difficulty – that digital risk is notoriously hard to assess – matters even more in a future shaped by state-led, risk-informed planning.  Where an all-hazards approach involves preparation for a wide range of potential threats and developing core capabilities to respond to a range of natural and man-made incidents, risk-informed planning involves developing response capacity and protocols based on the likelihood and severity of incidents.

In either approach, accurately assessing risk is the starting point, because preparedness and resilience planning is inextricably tied to the accuracy and effectiveness of risk identification. But under a risk-informed model, if a state prioritizes the wrong risks or overlooks some entirely it is more likely to be under or even unprepared.  And the state’s citizens will suffer. 

This brings us back to where we started:  this is the front end of a major transition and we need to exercise caution to minimize the potential impact to our citizens.  And while SLTT governments can play a larger role in disaster planning and preparation, there are functions that only the federal government can perform to achieve cyber readiness.  If we identify those now and preserve that capacity going forward, we can build a more prepared and resilient country.