Learning from Megadisasters: A Decade of Lessons from the Great East Japan Earthquake

Industry News, Power/Energy/Oil & Gas sector
On March 11th, 2011 a Magnitude 9.0 earthquake struck off the northeast coast of Japan, near the Tohoku region. The force of the earthquake sent a tsunami rushing towards the Tohoku coastline, a black wall of water which wiped away entire towns and villages. Sea walls were overrun. 200,000 lives were lost. The scale of destruction to housing, infrastructure, industry and agriculture was extreme in Fukushima, Iwate, and Miyagi prefectures. In addition to the hundreds of thousands who lost their homes, the earthquake and tsunami contributed to an accident at the Fukushima Daiichi Nuclear Power Plant, requiring additional mass evacuations. The impacts not only shook Japan’s society and economy as a whole, but also had ripple effects in global supply chains. In the 21st century, a disaster of this scale is a global phenomenon.
The severity and complexity of the cascading disasters was not anticipated. The events during and following the Great East Japan Earthquake (GEJE) showed just how ruinous and complex a low-probability, high-impact disaster can be. However, although the impacts of the triple-disaster were devastating, Japan’s legacy of DRM likely reduced losses. Japan’s structural investments in warning systems and infrastructure were effective in many cases, and preparedness training helped many act and evacuate quickly. The large spatial impact of the disaster, and the region’s largely rural and elderly population, posed additional challenges for response and recovery.
Over recent years, the Japan-World Bank Program on Mainstreaming DRM in Developing Countries has furthered the work of the Learning from Megadisasters report, continuing to gather, analyze and share the knowledge and lessons learned from GEJE, together with past disaster experiences, to enhance the resilience of next generation development investments around the world. Ten years on from the GEJE, we take a moment to revisit the lessons gathered, and reflect on how they may continue to be relevant in the next decade, in a world faced with both seismic disasters and other emergent hazards such as pandemics and climate change.
Through synthesizing a decade of research on the GEJE and accumulation of the lessons from the past disaster experience, this story highlights three key strategies which recurred across many of the cases we studied. They are:
1) the importance of planning for disasters before they strike,
2) DRM cannot be addressed by either the public or private sector alone but enabled only when it is shared among many stakeholders,
3) institutionalize the culture of continuous enhancement of the resilience.
For example, business continuity plans, or BCPs, can help both public and private organizations minimize damages and disruptions. BCPs are documents prepared in advance which provide guidance on how to respond to a disruption and resume the delivery of products and services. Additionally, the creation of pre-arranged agreements among independent public and/or private organizations can help share essential responsibilities and information both before and after a disaster. This might include agreements with private firms to repair public infrastructures, among private firms to share the costs of mitigation infrastructure, or among municipalities to share rapid response teams and other resources. These three approaches recur throughout the more specific lessons and strategies identified in the following section, which is organized along the three areas of disaster risk management: resilient infrastructure; risk identification, reduction and preparedness; and disaster risk finance and insurance.
Lessons from the Megadisaster Resilient Infrastructure
The GEJE had severe impacts on critical ‘lifelines’—infrastructures and facilities that provide essential services such as transportation, communication, sanitation, education, and medical care. Impacts of megadisasters include not only damages to assets (direct impacts), but also disruptions of key services, and the resulting social and economic effects (indirect impacts). For example, the GEJE caused a water supply disruption for up to 500,000 people in Sendai city, as well as completely submerging the city’s water treatment plant. Lack of access to water and sanitation had a ripple effect on public health and other emergency services, impacting response and recovery. Smart investment in infrastructure resilience can help minimize both direct and indirect impacts, reducing lifeline disruptions. The 2019 report Lifelines: The Resilient Infrastructure Opportunity found through a global study that every dollar invested in the resilience of lifelines had a $4 benefit in the long run.
In the case of water infrastructure, the World Bank report Resilient Water Supply and Sanitation Services: The Case of Japan documents how Sendai City learned from the disaster to improve the resilience of these infrastructures. Steps included retrofitting existing systems with seismic resilience upgrades, enhancing business continuity planning for sanitation systems, and creating a geographic information system (GIS)-based asset management system that allows for quick identification and repair of damaged pipes and other assets. During the GEJE, damages and disruptions to water delivery services were minimized through existing programs, including mutual aid agreements with other water supply utility operators. Through these agreements, the Sendai City Waterworks Bureau received support from more than 60 water utilities to provide emergency water supplies. Policies which promote structural resilience strategies were also essential to preserving water and sanitation services. After the 1995 Great Hanshin Awaji Earthquake (GHAE), Japanese utilities invested in earthquake resistant piping in water supply and sanitation systems. The commonly used earthquake-resistant ductile iron pipe (ERDIP) has not shown any damage from major earthquakes including the 2011 GEJE and the 2016 Kumamoto earthquake. Changes were also made to internal policies after the GEJE based on the challenges faced, such as decentralizing emergency decision-making and providing training for local communities to set up emergency water supplies without utility workers with the goal of speeding up recovery efforts.
Redundancy is another structural strategy that contributed to resilience during and after GEJE. In Sendai City, redundancy and seismic reinforcement in water supply infrastructure allowed the utility to continue to operate pipelines that were not physically damaged in the earthquake The Lifelines report describes how in the context of telecommunications infrastructure, the redundancy created through a diversity of routes in Japan’s submarine internet cable system  limited disruptions to national connectivity during the megadisaster. However, the report emphasizes that redundancy must be calibrated to the needs and resources of a particular context. For private firms, redundancy and backups for critical infrastructure can be achieved through collaboration; after the GEJE, firms are increasingly collaborating to defray the costs of these investments.
The GEJE also illustrated the importance of planning for transportation resilience. A Japan Case Study Report on Road Geohazard Risk Management shows the role that both national policy and public-private agreements can play. In response to the GEJE, Japan’s central disaster legislation, the DCBA (Disaster Countermeasures Basic Act) was amended in 2012, with particular focus on the need to reopen roads for emergency response. Quick road repairs were made possible after the GEJE in part due to the Ministry of Land, Infrastructure, Transport and Tourism (MLIT)’s emergency action plans, the swift action of the rapid response agency Technical Emergency Control Force (TEC-FORCE), and prearranged agreements with private construction companies for emergency recovery work. During the GEJE, roads were used as evacuation sites and were shown effective in controlling the spread of floods. After the disaster, public-private partnerships (PPPs) were also made to accommodate the use of expressway embankments as tsunami evacuation sites. As research on Resilient Infrastructure PPPs highlights, clear definitions of roles and responsibilities are essential to effective arrangements between the government and private companies. In Japan, lessons from the GEJE and other earthquakes have led to a refinement of disaster definitions, such as numerical standards for triggering force majeure provisions of infrastructure PPP contracts. In Sendai City, clarifying the post-disaster responsibilities of public and private actors across various sectors sped up the response process. This experience was built upon after the disaster, when Miyagi prefecture conferred operation of the Sendai International Airport  to a private consortium through a concession scheme which included refined force majeure definitions. In the context of a hazard-prone region, the agreement clearly defines disaster-related roles and responsibilities as well as relevant triggering events.
For full story click here >>
[Source: World Bank]
Leave a comment , , ,

DOE Announces $30 Million for Quantum Information Science to Tackle Emerging 21st Century Challenges

Agency News, Industry News, Power/Energy/Oil & Gas sector
The U.S. Department of Energy (DOE) announced plans to provide $30 million for Quantum Information Science (QIS) research that helps scientists understand how nature works on an extremely small scale—100,000 times smaller than the diameter of a human hair. QIS can help our nation solve some of the most pressing and complex challenges of the 21st century, from climate change to national security. Watch this video to learn more about QIS.
“Quantum computing and devices are poised to revolutionize the way we process information and develop new technologies that are currently beyond our reach,” said Secretary of Energy Jennifer M. Granholm. “From developing novel materials to building better batteries to moving clean electricity across the country more efficiently, the field of quantum information sciences can help us accelerate discoveries to solve complex problems in energy and beyond.”
QIS helps researchers discover new ways to measure, analyze, process, and communicate information. Potential applications for this work range from quantum computers to enable complex power forecasting to prevent outages during extreme weather events, to quantum devices to enable new smart windows, clothes, and buildings that can change their properties on demand.
“Quantum information sciences have become essential tools for our National Labs to take on the challenges of the modern world,” said Senator Ben Ray Luján. “This strong investment in the Department’s NSRCs will support their cutting-edge discoveries and strengthen America’s competitiveness in this emerging field. The Nation’s future is inextricably tied to the future of our National Labs, and I will keep working to ensure that they receive the necessary resources to support their invaluable work.”
“The U.S. is a world leader in high-tech innovation and jobs. This investment will help ensure we continue to build on our record of achieving advancements in quantum computing research and development and the high-paying jobs it creates,” said Senator Steve Daines.
DOE's “Quantum Information Science and Research Infrastructure” $30 million funding opportunity is focused on developing advanced capabilities for synthesizing, constructing, and understanding quantum structures and phenomena, as well as making these capabilities available to the greater scientific community via access to DOE’s five Nanoscale Science Research Centers (NSRCs).
The five NSRCs were established by DOE's Basic Energy Sciences (BES) program in the Office of Science, and provide access to leading-edge synthesis, characterization, computational tools, and scientific expertise. Their research supports DOE's mission to advance the energy, economic, and national security of the United States.
All five NSRCs will be selected based on peer review, and eligible to lead applications for awards of up to three years. DOE’s Office of Basic Energy Sciences, which is funding the effort, envisions awards both for single NSRCs and NSRCs working in partnerships or teams.
Leave a comment , ,

New Major Interventions to Block Encrypted Communications of Criminal Networks

Agency News, Cyber Security CII sector, Industry News
Judicial and law enforcement authorities in Belgium, France and the Netherlands have in close cooperation enabled major interventions to block the further use of encrypted communications by large-scale organised crime groups (OCGs), with the support of Europol and Eurojust. The continuous monitoring of the illegal Sky ECC communication service tool by investigators in the three countries involved has provided invaluable insights into hundreds of millions of messages exchanged between criminals. This has resulted in the collection of crucial information on over a hundred of planned large-scale criminal operations, preventing potential life threatening situations and possible victims.
During an action day, a large number of arrests were made, as well as numerous house searches and seizures in Belgium and the Netherlands.  The operation is an essential part of the continuous effort of judiciary and law enforcement in the EU and third countries to disrupt the illegal use of encrypted communications, as was already displayed last year following the successful de-encryption of the EncroChat communication platform.
As of mid-February, authorities have been able to monitor the information flow of approximately 70 000 users of Sky ECC. Many users of EncroChat changed over to the popular Sky ECC platform, after EncroChat was unveiled in 2020.
By successfully unlocking the encryption of Sky ECC, the information acquired will provide insights into criminal  activities in various EU Member States and beyond and will assist in expanding investigations and solving serious and cross-border organised crime for the coming months, possibly years.
Law enforcement in all three countries has been on a continuous stand by during the last month to be able to provide rapid reactions to possible dangerous criminal activities when required. The newly acquired information will now be analysed further
Investigations into the tool started in Belgium, after mobile phones seized during searches showed the use of Sky ECC  by suspects. Worldwide, approximately 170 000 individuals use the tool, which has its own infrastructure and applications and is operated from the United States and Canada, using computer servers based in  Europe. On a global scale, around three million messages are being exchanged each day via Sky ECC. Over 20 percent of the users are based in Belgium and the Netherlands.
Europol has and will continue to provide the authorities of Belgium, Netherlands and other affected countries with tactical, technical and financial support and will be dealing with this important flow of information on criminal activities in order to prevent threats to life and major crimes.
Eurojust has provided advice and support regarding cross-border judicial cooperation and organised 12 coordination meetings to enable this collaboration. The Agency will continue to provide this support and stands ready for further advice and cross-border operational financial support to all Member States and countries involved, to ensure an adequate cross-border judicial cooperation.
Leave a comment , , , ,

Universal Health Services lost $67m to ransomware attack

Health & Social Care, Industry News
UHS was among the first hit with the coordinated ransomware wave that targeted the healthcare sector last year. On September 29 last year, Universal Health Services announced in a press release that due to an IT security incident that took place two days earlier, it had to suspend user access to its IT applications related to operations located in the United States.
In the early hours of September 27, UHS clinicians and staff members took to Reddit to determine if other UHS employees across the country were experiencing similar computer and phone outages.
The thread detailed internet and data center outages, with one employee attributing the incident to a ransomware attack after seeing ransom messages from the Ryuk hacking group displayed on some computer screens.
Upon discovery, the IT team took all systems offline to prevent further propagation. The following day, UHS officials confirmed the event as an IT disruption, before reporting as a malware infection several days later.
The disruption caused by the ransomware attack was immense, considering UHS is among the largest providers of hospital and healthcare services in the US, featuring among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranking #330 in Forbes list of U.S.' Largest Public Companies.
The company employs around 90,000 people across 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities, and a number of ambulatory care access points and a network of physicians. Aside from the US, Universal Health Services also operates in Puerto Rico and the United Kingdom.
UHS said that it immediately implemented extensive IT security protocols and was working with security partners to restore the affected IT services as soon as possible. The incident caused temporary disruption to some clinical and financial operations, forcing acute care and behavioural health facilities to rely on offline documentation efforts to deliver round-the-clock patient care.
Leave a comment , , ,

CISA Announce Transfer of .gov Top-Level Dommain from US General Services Administration

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA) announced it will begin overseeing the .gov top-level domain (TLD) in April 2021. CISA is working closely with the U.S. General Services Administration, who currently oversees the TLD, to ensure a seamless transition of daily operations for .gov customers.
“Using .gov and increasing trust that government communications are authentic will improve our collective cybersecurity,” said Eric Goldstein, Executive Assistant Director for CISA’s Cybersecurity Division. “People see a .gov website or email address and know they are interacting with an official, U.S.-based government organization. Using .gov also provides security benefits, like two-factor authentication on the .gov registrar and notifications of DNS changes to administrators, over other TLDs. We’ll endeavor to make the TLD more secure for the American public and harder for malicious actors to impersonate.”
.gov is one of the six original TLDs in the internet’s domain name system (DNS). The TLD is actively used by each branch of the federal government, every state in the nation, hundreds of counties and cities, and many tribes and territories as they serve the public on the internet. The DOTGOV Act of 2020 shifted responsibility for managing .gov to CISA as the nation’s civilian cybersecurity agency.
Because the TLD is central to the availability and integrity of thousands of online services relied upon by millions of users, .gov is critical infrastructure for governments throughout the country and all aspects of its administration have cybersecurity significance. Under the actions required by the Act, CISA will work to increase security and decrease complexity for our government partners.
Leave a comment , ,

Police arrest 11 suspects of 'Anonymous Malaysia' hacker group

Cyber Security CII sector, Industry News
Eleven men, believed to be part of the "Anonymous Malaysia" hacker group, have been detained following six raids conducted by Malaysian police in Pahang, Johor, Perak and the Klang Valley. The group was believed to be responsible for cyber attacks on websites belonging to the government and the private sector.
Deputy Inspector-General of Police Acryl Sani Abdullah Sani said the suspects, aged between 22 and 40, were detained following the group's recent threat to hack the government's computer system.
Among those arrested by the Commercial Crime Investigation Department of Malaysian police headquarters, he said, was the administrator of the Anonymous Malaysia Facebook page.
"We will investigate further and ascertain if there are other members of the group," he told reporters after visiting a Covid-19 police roadblock set up at a Selangor toll plaza.
Datuk Seri Acryl Sani said the group was believed to be responsible for cyber attacks on websites belonging to the government and the private sector.
"We are not ruling out the possibility of 17 websites having been hacked," he added.
It was learnt that the suspects were also responsible for hacking the systems belonging to the Johor and Sabah state governments as well as Malaysia's International Trade and Industry Ministry.
Leave a comment , , , ,

Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS

Agency News, Cyber Security CII sector, Industry News
The National Security Agency (NSA) and CISA have released a Joint Cybersecurity Information (CSI) sheet with guidance on selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities.
CISA encourages users and administrators to consider the benefits of using a protective DNS service and review NSA and CISA’s CSI sheet on Selecting a Protective DNS Service for more information.
Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead (T1583.001); threat actors lace phishing emails with malicious links (T1566.002); a compromised device may seek commands from a remote command and control server (TA0011); a threat actor may exfiltrate data from a compromised device to a remote host (TA0010).1 The domain names associated with malicious content are often known or knowable, and preventing their resolution protects individual users and the enterprise.
Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192). The Cybersecurity and Infrastructure Security Agency issued a memo and directive requiring U.S. government organizations to take steps to mitigate related DNS issues. Additionally, the National Security Agency has published guidance documents on defending DNS [1, 2, 3].
This guidance outlines the benefits and risks of using a protective DNS service and assesses several commercial PDNS providers based on reported capabilities. The assessment is meant to serve as information for organizations, not as recommendations for provider selection. Users of these services must evaluate their architectures and specific needs when choosing a service for PDNS and then validate that a provider meets those needs.
Leave a comment , , ,

GAO report finds DOD's weapons programs lack clear cybersecurity guidelines

Agency News, Cyber Security CII sector, Industry News
DOD's network of sophisticated, expensive weapon systems must work when needed, without being incapacitated by cyberattacks. However, GAO reported in 2018 that DOD was routinely finding cyber vulnerabilities late in its development process.
A Senate report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's implementation of cybersecurity for weapon systems in development. GAO's report addresses (1) the extent to which DOD has made progress in implementing cybersecurity for weapon systems during development, and (2) the extent to which DOD and the military services have developed guidance for incorporating weapon systems cybersecurity requirements into contracts.
Since GAO's 2018 report, the Department of Defense (DOD) has taken action to make its network of high-tech weapon systems less vulnerable to cyberattacks. DOD and military service officials highlighted areas of progress, including increased access to expertise, enhanced cyber testing, and additional guidance. For example, GAO found that selected acquisition programs have conducted, or planned to conduct, more cybersecurity testing during development than past acquisition programs. It is important that DOD sustain its efforts as it works to improve weapon systems cybersecurity.
Contracting for cybersecurity requirements is key. DOD guidance states that these requirements should be treated like other types of system requirements and, more simply, “if it is not in the contract, do not expect to get it.” Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met. However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria, or verification processes. For example, GAO found that contracts for three of the five programs did not include any cybersecurity requirements when they were awarded. A senior DOD official said standardizing cybersecurity requirements is difficult and the department needs to better communicate cybersecurity requirements and systems engineering to the users that will decide whether or not a cybersecurity risk is acceptable.
DOD and the military services have developed a range of policy and guidance documents to improve weapon systems cybersecurity, but the guidance usually does not specifically address how acquisition programs should include cybersecurity requirements, acceptance criteria, and verification processes in contracts. Among the four military services GAO reviewed, only the Air Force has issued service-wide guidance that details how acquisition programs should define cybersecurity requirements and incorporate those requirements in contracts. The other services could benefit from a similar approach in developing their own guidance that helps ensure that DOD appropriately addresses cybersecurity requirements in contracts.
GAO is recommending that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. DOD concurred with two recommendations, and stated that the third—to the Marine Corps—should be merged with the one to the Navy. DOD's response aligns with the intent of the recommendation.
Leave a comment , ,

CISA Issues Emergency Directive for Federal Agencies to Patch Critical Vulnerability

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-02 requiring federal civilian departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released yesterday.  It also requires agencies who are currently able to do so to collect forensic images. All agencies are also required to search for known indicators of compromise after patching, and if indicators are found, contact CISA to begin incident response activities.  The directive is in response to observed active exploitation of these products using previously unknown vulnerabilities.  CISA also issued an activity alert to provide additional information and to encourage other public and private sector organizations to take steps to protect their networks.
“This Emergency Directive will help us secure federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Acting CISA Director Brandon Wales.  “The swiftness with which CISA issued this Emergency Directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it.”
ED 21-02 reflects CISA’s determination that exploitations that pose an unacceptable risk to the federal civilian executive branch agencies require emergency action.  CISA made this assessment on the basis of 1) current exploitation of these vulnerabilities, 2) the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that federal government services to the American public could be degraded.
CISA and the National Security Agency worked with Microsoft and security researchers to identify detection and mitigation approaches to these vulnerabilities, for which Microsoft released the patch this afternoon.  Cloud services such as Microsoft 365 and Azure systems are not known to be affected by this vulnerability.
Leave a comment , ,

NSCAI Report presents strategy for winning the artificial intelligence era

Agency News, Cyber Security CII sector, Industry News
The 16 chapters in the National Security Commission on Artificial Intelligence (NSCAI) Main Report provide topline conclusions and recommendations. The accompanying Blueprints for Action outline more detailed steps that the U.S. Government should take to implement the recommendations.
The NSCAI acknowledges how much remains to be discovered about AI and its future applications. Nevertheless, enough is known about AI today to begin with two convictions.
First, the rapidly improving ability of computer systems to solve problems and to perform tasks that would otherwise require human intelligence—and in some instances exceed human performance—is world altering. AI technologies are the most powerful tools in generations for expanding knowledge, increasing prosperity, and enriching the human experience. AI is also the quintessential “dual-use” technology. The ability of a machine to perceive, evaluate, and act more quickly and accurately than a human represents a competitive advantage in any field—civilian or military. AI technologies will be a source of enormous power for the companies and countries that harness them.
Second, AI is expanding the window of vulnerability the United States has already entered. For the first time since World War II, America’s technological predominance—the backbone of its economic and military power—is under threat. China possesses the might, talent, and ambition to surpass the United States as the world’s leader in AI in the next decade if current trends do not change. Simultaneously, AI is deepening the threat posed by cyber attacks and disinformation campaigns that Russia, China, and others are using to infiltrate our society, steal our data, and interfere in our democracy. The limited uses of AI-enabled attacks to date represent the tip of the iceberg. Meanwhile, global crises exemplified by the COVID-19 pandemic and climate change highlight the need to expand our conception of national security and find innovative AI-enabled solutions.
Given these convictions, the Commission concludes that the United States must act now to field AI systems and invest substantially more resources in AI innovation to protect its security, promote its prosperity, and safeguard the future of democracy.
Full report is available at https://reports.nscai.gov/final-report
Leave a comment , ,
1 34 35 36 37 38 54