Even after a major cyber attack, County Hazard Mitigation Plan fails to include cyber attacks

HAGERSTOWN, MD News (1/20/2023) – The Washington County Office of Emergency Management recently released a survey for citizens to participate in Washington County’s hazard mitigation planning process. Noticeably absent from the survey and presentation of the plan are any mention of planning for major cyber attacks.

The Hazard Mitigation Plan planning process includes all of Washington County. The public survey is designed to help the county gauge public perceptions of hazard vulnerability and potential projects to lessen the impacts of future hazard occurrences. While the plan includes many natural disasters and accidental hazards, including extreme weather, major traffic incidents, and even disease pandemics, the plan does not include any focus on planning in case of a cyber attack affecting emergency services or critical infrastructure such as water or power. This is especially concerning since Washington County is still recovering from the November cyber attack, and has yet to release any information regarding the actual attack, only releasing limited information regarding what was affected.

While some have speculated that the cyber attack was a ransomware attack, as of writing this article the county has not released any details as to how the attack occurred, the nature of the attack, or if any county resident personal information was affected by the breach. Maryland law requires notification within 45 days of discovering a data breach to notify victims and the attorney general, with very limited exceptions. Because residents use county computer systems to pay taxes, water bills, and other business with the county such as permits, their payment information or personal data could have been exposed in the cyber attack. The 45 day deadline was reached on January 10, 2022, and the last update provided by Washington County Government was over 30 days ago.

Potential hazards completely omitted from the planning process include the possibility that a cyber attack could shut down local or regional utilities, including water, phone, internet, or power. Cyber attacks (or even physical attacks as recently seen in North Carolina) targeting critical infrastructure could significantly impact the health and safety of all residents of Washington County, especially if facing extended periods without heating or cooling during winter or summer months. These attacks could also result in civil unrest and serious supply chain issues, effectively isolating Washington County from the rest of the area.

Failure to include cyber attacks in the Hazard Mitigation Plan after a major cyber attack seriously impacted our county 911 center and other government services is extremely short-sighted. The county must understand that the recent cyber attack could have been much worse, had it affected critical infrastructure. Washington County is clearly not prepared for a more serious cyber attack since such an attack is not even mentioned in the Hazard Mitigation Plan. We need to plan accordingly in case future attacks reach beyond just the digital world.

County residents deserve better.

Article by multiple RFHC contributors.

%d bloggers like this: