Cyber Security National Seminar and Tabletop Exercise
Cyber attack mock exercise tests preparations and trains UA emergency managers
The threat of a cyber attack affecting the university is very real. Massive security breaches at Equifax and Premera fill the news, and UA’s IT departments deflect hundreds of hacking attempts every day. By 2021, cybercrime damages across the U.S. are expected to reach $6 trillion annually. How prepared is the University of Alaska to respond in the face of a full-scale cyber attack?
A team of nine UA employees representing different areas of emergency management across the system attended a Department of Homeland Security National Seminar and Tabletop Exercise for Institutes of Higher Education in Salt Lake City earlier this month to train and test on such a scenario. Chief IT Officer Karl Kowalski and Manager of Compliance, Information and Record Systems Shiva Hullavarad represented UA IT expertise; Chief Risk Officer Tim Edwards, SW Emergency Manager Steve Mullins, UAF Fire Chief Doug Schrage, UAA Emergency Manager Ron Swartz, and UAS Emergency Manager Matt Ziemer represented UA’s emergency management teams; Associate General Counsel Matt Cooper provided legal representation; and Public Information Coordinator Monique Musick represented the public information role. They attended workshop sessions focused on their areas of interest – from IT systems recovery to communications and public relations – and worked together in table top sessions to respond to a mock cyber attack of rapidly escalating impact. While plausible, the scenario for the exercise was on a greater scale than we are likely to face, and it truly tested UA’s preparation and response capabilities during such a crisis.
One of the greatest benefits of exercises like this is the ability to share and learn from other institutions. Hearing stories from Princeton and Berkeley; learning from Boston University about its response to the Boston Marathon bombing; and discovering that we are all facing many the same types of threats and cyber attack attempts is rewarding and educational. We returned from the conference with a clear understanding of where our cyber security programs are strong, and where we should spend more time planning.
The single most important action to take is to develop action plans and practice them regularly. In the coming months Chief Risk Officer Tim Edwards plans to conduct drills with executives and emergency management team members on our Emergency Action Plans. When it comes to cybersecurity, training students and employees is paramount for reducing risk. Departments need to develop continuity plans and be prepared to keep the business of the university operating in the event that online systems are compromised, whether from an outage or a security breach, and establish alternative forms of contact in the event that phones or internet are compromised. It is equally important to have family emergency plans so you know how to contact one another in the event of an emergency or natural disaster.
While there is no way to completely prevent a cyber attack from affecting the University of Alaska systems, we can all do our part to remain vigilant in our online behaviors, and to plan for and practice emergency response and recovery.