When Cyber-Attacks Lead to Disasters, Does the Stafford Act Apply?

As cyber-attacks remain front page news, the nation’s cyber posture must evolve to meet expanding threats. High-impact cyber incidents in 2021 alone should make any risk advisor concerned:

Increasing cyber-attacks on critical infrastructure pose a serious threat to our nation, far beyond the consequences seen in recent large-scale data breaches. As malicious actors become bolder, the next major breach of critical infrastructure may be so severe it feels like a natural disaster to those affected.

The February ice storm in Texas, although caused by extreme weather, offers a good case study. Texas’ loss of essential heat and power forced impacted residents into emergency shelters, essential medical devices could not function, and people died of carbon monoxide poisoning while heating their home or car. In fact, officials attributed more than 210 deaths to the event. This could happen in a cyber-attack.

The May ransomware attack on Colonial Pipeline caused panic buying and gas shortages up and down the East Coast. Days earlier, the Institute for Security and Technology labeled ransomware an “urgent national security risk that threatens schools, hospitals, businesses and governments across the globe.”

Given the likelihood of a major infrastructure hack and the potentially “disastrous” consequences, the nation must do more to prepare. In 2017, the President’s National Infrastructure Advisory Council noted, “When a cyber-attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities and authorities.” As cyber-incidents increase, Congress may establish a cyber-specific response fund. A better solution may be to tap existing federal disaster response capabilities.

The 1988 Robert T. Stafford Act serves as the foundation of our nation’s domestic natural disaster response. It is frequently amended to address lessons learned in our most tragic events. Since the start of COVID-19, the Trump and Biden Administrations relied heavily on the Stafford Act. It has been leveraged for federal responses to a wide range of incidents beyond natural disasters, such as the 9/11 attacks, the West Nile Virus outbreak, and the loss of the space shuttle Columbia. These applications open the door for broader use to support local recovery from a cyber-attack.

A February report by the Business Executives for National Security (BENS) called upon Congress to “expand the Robert T. Stafford Disaster Relief and Emergency Assistance Act to include pandemics, cyber events and other emergencies of extended duration or with possible nationwide impacts.” The report argues the Act authorizes the federal government to provide aid to overwhelmed states and localities. As such, the Act should apply to “any national crisis, regardless of the event’s nature or timeframe.”

Katerina Sedova, a research fellow with the CyberAI Project at Georgetown Center for Security and Emerging Technology, agrees with this argument. She noted, “As lawmakers consider options to shore up resilience to crippling cyber-attacks, amending the Stafford Act to include manmade disasters is a viable option, particularly where state and local capacity is insufficient.”

Others say the Stafford Act already includes authorities needed to assist jurisdictions in cyber response and recovery. Dr. Samantha Montano, assistant professor of emergency management at Massachusetts Maritime Academy, argues “the Stafford Act was written with the intent to apply to all types of hazards whether natural, biological or technical. It would be appropriate for cyber-attacks to be a type of incident the Stafford Act could be used to address.”

Dr. Daniel Kaniewski, former FEMA Deputy Administrator, believes that regardless of the strict interpretation of the Stafford Act, emergency managers at all levels of government are compelled to respond. “If there were a catastrophic cyber-attack on the US, emergency managers would not sit idly by as consequences mount. In fact, this scenario is the epitome of all-hazards planning.” During his time in office, Kaniewski encouraged emergency managers to strengthen relationships with those responsible for cybersecurity.

To aid in the effort, the House passed the State and Local Cybersecurity and plans to try again. The Senate recently considered the Cyber Response and Recovery Act, which also establishes a fund for support to public or private entities.

Whether a new federal cyber response fund is established, or the Stafford Act is applied remains to be seen. However, as actors grow bolder and critical infrastructure remains vulnerable, the nation must seek novel solutions to keep Americans safe from the likely and disastrous outcomes of a cyber-attack on the nation’s critical infrastructure.

If you liked this article, be sure to check out this upcoming Online Summit session:

What’s Hot on Infosecurity Magazine?