President Obama today issued a key directive formalizing just how federal agencies operate, coordinate, and respond to major cyberattacks and cyber incidents considered a danger to national security, the government, the economy, and critical infrastructure.
The new Presidential Policy Directive, PPD-41, specifies the FBI and the National Cyber Investigative Task Force of the US Department of Justice as the lead agencies for threat response, while the US Department of Homeland Security is the lead agency for “asset” response, via the National Cybersecurity and Communications Integration Center, aka the NCCIC. The Office of the Director of National Intelligence – via the Cyber Threat Intelligence Integration Center -- is the lead agency for intelligence support and related efforts, the directive states.
A “significant” cyber incident is defined by PPD-41 as one where the outcome could be harmful to national security interests, foreign relations, the US economy, public confidence, civil liberties or public health and safety of US citizens, according to the directive. Cyber incidents include vulnerabilities, system security procedures, internal controls, or implementations that could be abused by an attacker.
“While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts. These significant cyber incidents demand unity of effort within the Federal Government and especially close coordination between the public and private sectors,” the directive reads.
President Obama’s new directive basically forms a game plan for agencies to work with one another on major cybersecurity events, notes Tom Kellermann, who previously served on the Commission on Cybersecurity for the 44th Presidency. “It also highlights how … the nature of responses [required now] for attacks that could be destructive and [the] increasing hostility of the environment shows the need for more cooperation,” says Kellermann, who is CEO of Strategic Cyber Ventures LLC.
The directive comes in the wake of the massive Office of Personnel Management (OPM) breach in 2015, and as the FBI is investigating the possible involvement of the Russian government in the recent breach of the Democratic National Committee’s (DNC) email system. Some of the DNC’s emails, many of them indicating the commission’s bias toward Hillary Clinton over Bernie Sanders, were dumped online by WikiLeaks this week just in time for the Democratic National Convention and presidential nomination of Clinton.
Chris Blask, chair of the ICS-ISAC, says the President's new directive basically formalizes how the federal government will respond and coordinate in cyber incidents and attacks. “The private sector can get some insight into where the feds are now. It’s another indication of the escalation of interest and capabilities inside the federal government to support private industry” partners, Blask says.
Missing from the President’s new policy, however, is a so-called “Cyber 911” for the private industry, Kellermann says. “My one suggestion is they need to have a Cyber 911,” a cyber incident emergency plan for commercial entities, he says. “When you call 911 in an emergency, you get police, ambulance, or fire” department support, he says.
But with cybersecurity, the private sector today gets only police support when it calls the FBI. “Metaphorically, this is a great action plan … but it should be expanded to the private sector,” where many organizations lack the resources to handle and recover from major cyberattacks, he says.
The private sector should have a streamlined process for getting help with “systemic” attacks. “DHS US-CERT and NCCIC should work in tandem with FBI to limit secondary infections,” he says.
“The problem for the past ten years is that [they’ve] failed at exterminating the cyber-presence of adversaries who have colonized” US networks, Kellermann says. “There was no quick enough response to react in time … nor a national coordination perpsective. This PPD is all about decreasing the dwell time to prevent further colonization” of nation-states and other attackers, he says.
The FBI said the policy codifies the bureau’s role in cyberattack response. James Trainor, assistant director of the FBI cyber division said in a statement, “This new policy will also enhance the continuing efforts of the FBI—in conjunction with its partners—to protect the American public, businesses, organizations, and the economy and security of our nation from the wide range of cyber actors who threaten us.”
PPD-41 also lists five incident response principles for the feds: shared responsibility among individuals, government, and the private sector in protecting networks from attack; risk-based response; respecting affected entities (think privacy and civil liberties); unity of effort, meaning keeping all relevant agencies in the loop; and enabling restoration and recovery as soon as possible.