The Obama administration is urging agencies to think about cyber response with the same attention they bring to a natural disaster. To help them, the White House is clarifying what roles certain agencies play in a coordinated cybersecurity response.
Presidential Policy Directive (PPD)-41, which the White House released July 26, more specifically describes just how agencies will work together to respond to cyber incidents that could have a major impact on the nation.
“It spells out which federal agencies are responsible,” said Lisa Monaco, assistant to the President for homeland security and counterterrorism, at the International Conference on Cybersecurity in New York July 26. “And it will help answer a question heard too often from corporations and citizens alike — ‘In wake of an attack, who do I call for help?”
Specifically, it outlines roles for three agencies in three distinct areas of cyber incident response.
The Justice Department, through the FBI and the National Cyber Investigative Joint Task Force, will be responsible for coordinating a response to an immediate cyber threat.
DOJ will communicate with stakeholders at an affected organization and with law enforcement to collect evidence and intelligence, stop the immediate cyber threat and start the information sharing process with the Homeland Security Department.
When a major cyber event happens, the FBI, along with asset response teams, state, local and tribal governments, non-government organizations, members of industry and other federal agencies as necessary, will respond as the Cyber Unified Coordination Group.
The directive “codifies the essential role that the FBI plays in cyber incident response, recognizing its unique expertise, resources and capabilities,” FBI Assistant Cyber Division Director James Trainor said in a statement. “As the bureau continues evolving to keep pace with the cyber threat, the authorities contained in [the directive] will allow us to help shape the nation’s strategy for addressing nationally-significant cyber incidents.”
Next, DHS will take the lead on “asset response,” with the department helping the organization recover and get its systems back up to speed.
“Asset response” essentially means that DHS will help an impacted organization “find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents and preventing the incident from spreading to others,” department secretary Jeh Johnson said in a statement.
DHS will also write the federal government’s plan for working with industry and state, local and tribal governments to respond to major cyber attacks.
Both DOJ and DHS will keep a fact sheet detailing how private organizations can contact relevant federal agencies about a specific cyber attack, the directive said.
Finally, the Office of the Director of National Intelligence will take the lead on the analysis and intelligence aspect of the response.
The PPD does not necessarily describe brand new policy, but it does codify existing initiatives that Obama introduced in the Cybersecurity National Action Plan (CNAP), a series of short and long term goals that the Office of Management and Budget has unveiled over the past six months.
“While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security or the broader economy require a unique approach to response efforts,” the policy directive said.
When a large company suffers a major cyber attack, appropriate sector-specific agencies will work with that organization to understand the scope of the incident and how it might impact critical infrastructure, the policy said.
The directive also officially describes the governance structure that will take the lead on developing national cyber response policy and for coordinating with sector-specific agencies on a specific cyber event.
The Cyber Response Group (CRG) will develop a governmentwide response strategy. Agencies that participate in this group will write their own procedures that correspond with the CRG policy.
A Cyber Unified Coordination Group, which will mostly consist of DOJ, DHS, the ODNI and other related agencies, will be the main go-between for responding to major cyber events.
The PPD also describes five underlying principles that the White House said should drive agencies’ responses to large cyber incidents:
Shared responsibility: citizens, federal agencies and private companies all play a part in managing cyber incidents.
Risk-based response: agencies will respond to a cyber event depending on the impacts it poses to national security, foreign relations, the economy, public confidence or public safety.
Respecting affected entities: Agency cyber responders will do their best to protect the details of the incident and privacy and civil liberties.
Unity of governmental effort: The federal agency that becomes aware of the cyber incident first will notify other relevant organizations. Other agencies will realize their respective roles and act accordingly.
Enabling restoration and recovery: Agencies will do their best to bring the impacted organization back to normal operations as quickly as possible.
Industry organizations and agencies such as the departments of energy and treasury will practice these procedures at exercises within the next few months, Monaco said, as industry and government experts will meet next week to lend their feedback on the PPD.
Such a response is necessary as the threat landscape has dramatically changed since Obama first took office eight years ago. DHS receives more than double the number of annual incident reports now than it did in 2009, Monaco said.
“It’s important to remember that the technology we’ve been discussing is an incredible tool,” she said. “But our wired world also presents a great paradox.”