Over the past month, I've been spending a lot of time reading and thinking about how organizations can prepare for the overlap between human-caused and natural disasters.

Whether considering hybrid physical/cyber-attacks on organizations or the problems a changing climate creates for physical security, these are not easy issues and challenges to prepare for.

Here are a few longer reads that have stood out in the past few weeks. For additional articles, connect with me on LinkedIn, where I share and discuss other articles I'm reading.

A Heat Dome Hits Virginia: One Data Center's Story

This three-part fictional story written by Andrew Bochman from the Idaho National Laboratory highlights an undiscussed topic: a changing climate can create challenges for security and public safety professionals as well.

As much of the country faced record-high heat temperatures through June and July, the weather also puts technology platforms and data centers at risk. Technology blackouts can affect rail and air transportation. 911 systems, the supply chain, healthcare systems, and many other critical lifelines in our communities and personal lives.

Extended-duration power outages and heat-related are not simply utility company concerns but can quickly lead to humanitarian crises and incidents (Texas’ 2021 Winter Storm Uri and the 2021 Pacific Heat Dome as examples). Not limiting our planning (because of a lack of imagination of what is possible) can help guide the preparation needed for organizations and communities.

Not convinced yet? Consider these six decision-making biases impeding individuals, communities, and organizations from investing in protection from disasters (link).

Article Link (Part 1): https://www.asisonline.org/security-management-magazine/monthly-issues/security-technology/archive/2022/december/A-Heat-Dome-Hits-Virginia-The-Data-Center/

NATO’s Christian-Marc Lifländer on how the alliance can take a ‘proactive’ cyber stance

Here is an article with the head of NATO's cyber and hybrid policy section that I am sharing because of two key points.

First is the perspective and the need for organizations to pursue left and right of bang cybersecurity capabilities. While patching vulnerabilities and minimizing known risks is a crucial part of cyber defenses, there are parallels to militaries preparing to fight the last war and a never-ending cycle of reacting to new attacks.

There is a lot that can be done for organizations to proactively prepare for cyber attacks while still left of bang and develop their resilience to the risks. Getting left of bang also involves imposing costs on attackers and changing their behavior. When an attacker is forced to continually change their tactics and techniques because organizations have strong threat-hunting capabilities and detect surveillance on their systems, it forces criminals to either be more bold in their attacks or choose a softer target.

Second, I think how the interview concludes is really important as well. "We have come to realize that it's not necessarily the single incident that we should be focusing on, but the cumulative effect over time. So if cyber is always on, if it's used continuously in order to target the sources of national power, then at the end of the day, it could very easily be a simple, perhaps even sort of relatively innocent incident, that breaks the camel's back."

The situational awareness required to be proactive and to stay left of bang requires attention and effort (whether human or automated). If the people and systems are overwhelmed with other incidents or organizational activities, it becomes harder to maintain that proactive approach. Right now, cyber defenses are stretched pretty thin and there is a well-advertised shortage of cybersecurity professionals. That makes the system pretty fragile at a time when the volume of attacks continues to increase.

Article Link: https://therecord.media/christian-marc-liflander-on-nato-cyber-defense

The Trillion-Gallon Question: Extreme weather is threatening California's dams. What happens if they fail?

I read this article as Vermont was flooding and not long after the dam collapse in Ukraine. Since preparing for a dam failure is a complex problem on its own (and before considering that intentional explosions inside the dam are the reason why), this article highlights how important the "planning assumptions" section of any emergency plan are.

In every plan, there is a list of things that the planner believes to be true, yet can't say with absolute certainty are true. Planning assumptions can be stated in the plan, or unstated, but they guide how the planning team defines problems and solutions.

Throughout this article, there are countless references to contingency capabilities (such as spillways) that haven't been tested or that don't offer the ability to remove water faster than a reservoir can be filled. There are assumptions about whether there could ever be enough rain to cause the reservoir to fill and overtop (despite data saying it is possible). There are assumptions about whether it is even possible to plan for such a catastrophic event, so planning was often ignored.

For emergency managers and local government officials who often own the impacts of a problem, even if they don't own the ability to control the mitigation measures that prevent the problem, a focus of cross-jurisdictional collaboration and public-private partnerships should involve discussions about planning assumptions. If the assumptions are shared by an asset owner, people (literally or metaphorically) downstream of a problem can build their contingency plans to account for when those assumptions don't work and create the capabilities while still left of bang.

Article Link: https://www.nytimes.com/2023/06/22/magazine/california-dams.html?smid=nytcore-ios-share&referringSource=articleShare