The Obama administration wants federal agencies to have an organized response plan in place before a major cyber attack hits, but cyber officials wonder how soon that strategy will take effect.
The Presidential Policy Directive (PPD) 41, released by the White House on July 26, describes how agencies ought to work together to respond to a cyber incident that poses major consequences to the country.
White House officials previously stated that agencies should think about their cyber response the same way they’d approach a natural disaster, but French Caldwell, chief evangelist at MetricStream, told Federal News Radio that the PPD falls short of that standard.
“I don’t see how that’s really going to work. It would be like saying we’re going to create FEMA immediately after the hurricane,” Caldwell said. “There’s no real clear organizational changes, and as a matter of fact, the one thing that is highlighted here, the establishment of sort of an emergency response capability, it seems like that’s very ad hoc, will be spun up in the event of an instance.”
Caldwell, who in 2002 worked on a war game exercise with the Naval War College and the White House to test the feasibility of a strategic cyber attack on U.S. critical infrastructure, said the White House cyber plan still leaves a lot of open questions about what roles agencies should carry out in the event of an attack.
“I think this raises the question of how prepared are we, really, for a significant cybersecurity attack on the country,” he said. “This is documenting the status quo, and when you look at it, it leaves you wondering, will we ever get beyond this sort of ad hoc approach to cyber, to the protection of critical infrastructure and the response to what could potentially be devastating cyber attacks on our critical infrastructure.”
The Cybersecurity Information Sharing Act (CISA), which passed in late 2015, enabled more sharing of cyber threat information between private industry and government. Caldwell said passage of CISA has been a step in the right direction, but added that companies may still be reluctant to share sensitive information with the government following the Office of Personnel data breach.
“There is definitely a need for pooling capabilities and being able to coordinate and respond together,” Caldwell said. “[CISA] was an evolution, I think it’s a positive thing, although I think when you look at the government itself, the federal government definitely needs to clean up its own act if it wants to be a trusted broker of cyber threat information.”
Dan Chenok, the executive director for the IBM Center for the Business of Government, told Federal News Radio that Obama’s PPD demonstrates an evolving cyber response.
“I think that shows a continued progression in terms of the government working with industry to understand what’s happening in cyberspace and to be able to share information effectively,” Chenok said.
In order for a governmentwide cyber strategy to be truly effective, Caldwell said agencies need to be continuously testing and running exercises in order to fine-tune their response before an actual breach.
“I think some good could come out of this if they’re doing regular exercises, ongoing training. If we’re expected to spin up a response after an event, it needs to spin up extraordinarily quickly, and that’s only going to happen in you’re drilling all the time. There have to be ongoing drills and exercises, not some annual exercise, but all the time, this has to be done,” Caldwell said.
But the private sector still has its own cyber deficiencies to work out. In a recent survey on financial service companies, Metricstream found that less than 8 percent of companies said they were prepared to share cybersecurity information with the government, while 18 percent said they were already sharing cybersecurity information with the government. Meanwhile, 12 percent of respondents said they were sharing cyber information with other industry partners.