Trending Topics

Cyber threat intelligence: A state emergency manager’s view

Shawn Talmadge of Virginia’s Department of Emergency Management explains why cyber threat intelligence-sharing is key to preparing the state for large-scale disaster response



By Scott Kaine

In public safety, cyber threats are a multi-faceted cause for concern. Threats against critical public infrastructure can easily trigger full-scale emergencies, while threats like ransomware can impede public safety agencies’ ability to respond on the ground.

Yet, by working together, agencies can turn cyber threat intelligence into one of their biggest assets for predicting and preparing for cyber-related emergencies before they occur.

I recently sat down with Shawn Talmadge, director of the Virginia Department of Emergency Management (VDEM), to discuss how his agency uses cyber threat intelligence to plan and respond to emergency situations.

The VDEM is a member of the Public Safety Threat Alliance (PSTA), a cyber threat Information Sharing and Analysis Organization (ISAO) recognized by the Cybersecurity and Infrastructure Security Agency (CISA). It facilitates the collection, analysis, production and sharing of actionable cybersecurity threat intelligence to improve public safety agencies’ resiliency and defense.


Shawn Talmadge was appointed to serve as VDEM’s State Coordinator in January 2022. Talmadge came to VDEM from the previous administration where he served as Deputy Secretary of Public Safety and Homeland Security and the Governor’s Homeland Security Advisor. In those roles, he also supervised the Secretariat’s Homeland Security Division and the Departments of Emergency Management, Fire Programs, and State Police.

Tell us about your career leading up to VDEM. How did your military experience with the Virginia National Guard informed your approach to VDEM’s operations and intelligence?

I’ve been in the emergency response and homeland security space for over 25 years. Early in my career, I jumped into the first responder realm as both a critical care paramedic and a firefighter. I then joined the Virginia National Guard and was deployed overseas twice on combat missions, and here in the United States, on a weapons of mass destruction team with various units. I held a number of leadership roles with the Guard including Battalion Commander, Executive Officer and Chief of Joint Operations.

My military service taught me two important lessons: intel should always drive your decisions, and connectivity matters when you’re on the front lines of a mission or disaster. I learned to see cyber threat intelligence as a means for making better decisions about safety preparedness and mission assurance. I also studied the policy issues and operational concerns that can impact domestic emergency response times and worked to build more effective response task forces.

What type of emergencies does your agency manage?

For many, emergency management brings to mind pictures of first responders pulling survivors from flood waters or assisting communities in the wake of a tornado. Yet my team at VDEM manages much more than these weather-related disasters.

For instance, we coordinated the operations and logistics to welcome over 30,000 displaced refugees to the state during Operation Allied Welcome. We set the state’s strategy for dealing with hazardous material exposures and maintained plans to contain an avian flu outbreak. There is a lot of variety. No matter the emergency, the data we glean from threat intelligence makes us more effective in planning our response and keeping citizens safe.

How does threat intelligence enable your agency to operate more effectively?

With threat intelligence, we make better decisions when preparing for and responding to large-scale emergencies. It’s really that simple. Threat intelligence plays a critical role in driving both our planning for an emergency and our operations during it. It also allows us to reassess our response as an emergency unfolds.

As an emergency manager, how concerned are you about cyber threats and bad actors?

Nothing makes me lose sleep more than the threat of a cyber event.

In an emergency, communication systems availability is critical. First responders need to be able to talk. Officials need to get life-saving information out to the public. You or I may need to check in on a loved one or mark ourselves as safe. The security of land mobile radio networks, 9-1-1 and other mission-critical systems underpins our ability to effectively manage emergencies.

For public safety agencies, ransomware attacks are of particular concern. When skilled criminal actors target critical infrastructure and gain access to systems, calls for police, fire or EMS assistance may go unanswered. To keep our communities safe, we must work together to counter the ransomware epidemic.

My team also plans for circumstances where cyber threats are purposely constructed to instigate broader large-scale emergencies – an attack on our energy grid or in the chemical sector, for instance.

This is why information-sharing and analysis centers and organizations like the PSTA are so critical. We can recognize and analyze cyber threat trends specific to public safety agencies to develop a big-picture view of how bad actors’ tactics, techniques and procedures are evolving. If reporting tells us there’s been a shift away from threats against energy systems but an increase in direct attacks on communications infrastructure, we can put the right agency partners on alert and exercise our response plans.

How can information sharing and analysis centers and organizations like the PSTA help public safety agencies more effectively combat cyber threats?

The PSTA is the first organization of its kind focused entirely on sharing cyber threat intelligence for the purpose of public safety organizations. It’s a public-private partnership that reduces the cybersecurity burden put on any one agency.

The intelligence the PSTA distributes helps agencies identify trending cyber concerns, prepare their infrastructure and refine their processes. The PSTA also saves us time in making community-specific recommendations should certain public safety answering points (PSAPs) come under cyberattack, for instance.

I like to think of the PSTA as a cybersecurity backup unit. It’s always at the ready for us with useful intelligence – and it recently joined the Joint Cyber Defense Collaborative, the premier cybersecurity public-private partnership established by CISA. Any public safety agency can register to become a PSTA member for free. It’s a no-brainer.

What successes have you seen in using PSTA cyber threat trend intelligence?

The PSTA provides regular “CyberBytes” that offer actionable cyber information, intel and assessments. These have proven immediately relevant to our work. For example, VDEM is responsible for coordinating and supporting PSAPs, including our ongoing NextGen 9-1-1 project, which requires transitioning from copper to VOIP technologies for phone connectivity. There is a lot of opportunity with this transition, but risk as well, given that VOIP technologies have their own cyber threat considerations. The PSTA’s CyberBytes series helps us better understand threats, which is especially important as our operations evolve into new areas.

What advice do you have for public safety agencies concerned about cyber threats?

In public safety, relationships matter. We know well that a mission’s success depends on collaboration between community leaders, first responders, providers of critical infrastructure and residents.

If you’re concerned about cyber threats, don’t try to manage them alone – lean on your partners. By pooling our resources, insights and intelligence, we can stand united against the increasingly sophisticated cyber threats facing our public safety community today.


About the author
Scott Kaine is corporate vice president of cybersecurity for Motorola Solutions and spearheads the Public Safety Threat Alliance.