Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, admitted he had a lot of sleepless nights earlier this summer. He spent long hours worrying about how Baltimore City, five school districts in Louisiana and 22 jurisdictions in Texas would get out from under a ransomware attack.
During those long nights where DHS provided technical and operational support to those and other cities who fell under the scourge of the latest cyber assault, Krebs said it occurred to him that the government doesn’t have the same doctrine for a large-scale cyber event as FEMA has for man-made and natural disasters.
“If you look at FEMA, they have operational plans, exercises and drills. They have an incredible wealth of doctrine, experience and understanding of who does what and when,” Krebs said at the CISA cyber summit in August. “We have to develop that underneath the National Cyber Incident Response Plan (NCIRP).”
The NCIRP and Presidential Policy Directive (PPD)-41, which the Obama administration released July 2016, was supposed to serve as that detailed response plan. Experts say the goals of the NCIRP and PPD-41 never materialized, and, in fact, some say the government is in a more precarious position today than it was four or five years ago.
Krebs seems to realize that and is calling for an implementing doctrine that more specifically details how CISA, the FBI and law enforcement and the intelligence community can work together to respond to a major cyber attack against the country’s critical infrastructure or federal networks.
“The NCIRP is not an actionable plan. It’s more of something closer to a framework that gives a broad overview of the general responsibilities across all federal agencies,” he said. “We have to know what if all 254 counties in Texas get attacked by ransomware. What should states anticipate come from the government, from CISA, from the National Guard? We just need to be clear on expectations and what we will do to solve issues together.”
Krebs added unlike FEMA, which drills and gets to know the first responders and others who would help during a hurricane or wildfire, CISA doesn’t do the same thing. The closest thing is the biannual cyber storm exercise, which happens every two years to test the NCIRP.
Industry experts say while the cyber storm exercise is helpful, it is not enough.
“The one thing we are looking for is a consistent and repeatable way for the government to engage with industry. Previously there was the unified coordination group (UCG) that included each of the critical infrastructure sector on it. Its primary role was to staff and support the UCG. This was a forum if there was a national level cyber incident we could work through how to respond to that incident,” said Scott Algeier, executive director of the IT-Information Sharing and Analysis Center (IT-ISAC). “When DHS updated the cyber incident response plan at the end of the Obama administration, they took out the industry role with the UCG and said they would reach out to industry as needed. Considering the interdependencies across critical infrastructure community and the large amount of subject matter experts industry has, we hope to get to the point to restore industry representation in the cyber UCG as part of any updated response plan.”
Seat at the table disappeared
Bob Dix, an industry cyber expert and former vice present of government affairs and public policy at Juniper Networks, said the incident response plan triggers certain activities depending on the threat or attack, but there isn’t a defined role for critical infrastructure owners and operators.
“DHS brings owners and operators in on an as-needed basis and at the will of the government, particularly who they invite to the table. I think that is a flawed approach,” Dix said. “There should be a designated representative from various sectors who can work with the government to identify the companies and stakeholders who are impacted and need to have seat at the table during a cyber attack.”
Dix said in the early 2010s, critical infrastructure providers had that seat at the table, but for some reason the Obama administration decided to change that approach.
“The notion of a cyber exercise program is a perfect candidate for testing out this approach with relevant stakeholders federal, state and local leaders and critical infrastructure providers,” Dix said. “We need to organize the scenario, test it and get recommendations and lessons learned and then apply them so we can prepared for any major cyber incident.”
Algeier said one of the key findings from the 2018 cyber storm exercise was the need to have an industry representative on the UCG. But he said national exercises are not a substitute for monthly or quarterly interactions between government and industry experts.
Algeier added in the past the cyber UCG brought the right people together to create relationships that made the sharing of threats and vulnerabilities easier and created that all-important familiarity during times of crisis.
“The relationships have been lost as have the opportunities to develop a playbook for responding to different types of attacks,” he said. “You need an ongoing framework for how to respond. You can adjust and adopt as you go. You have to know who the right people are that need to respond to an incident. But right now, there is a huge gap because there is no standard way for industry and government to engage during a crisis.”
Dix added that the critical infrastructure providers and the government are so interconnected that by not including the private sector more broadly, predicting and reacting to potential and real cyber threats will fall woefully short.
Based on what Baltimore, Texas and Louisiana suffered through earlier this year, and that many cybersecurity researchers expect the threat of ransomware and other disruptors only to increase, it would seem that the time is right for Krebs to reconstitute the cyber UCG with full critical infrastructure sector participation.